Visteon Infotainment UPDATES_ExtractFile Command Injection RCE (CVE-2024-8358)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: (0Day) Visteon Infotainment UPDATES_ExtractFile Command Injection Remote Code Execution Vulnerability 2. Vulnerability ID: ZDI-24-1190, ZDI-CAN-23422 3. CVE ID: CVE-2024-8358 4. CVSS Score: 6.8, AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 5. Affected Vendor: Visteon 6. Affected Product: Infotainment 7. Vulnerability Details: - Allows a physically present attacker to execute arbitrary code on affected Visteon Infotainment systems. - A specific flaw exists in the UPDATES_ExtractFile function. A crafted software update file can trigger a system call composed of user-supplied strings. Attackers can exploit this vulnerability to execute code within the device’s context. 8. Additional Details: - 2024-04-24 - ZDI reported the vulnerability to the vendor. - 2024-04-30 - ZDI requested an update. - 2024-07-29 - ZDI requested an update again. - 2024-08-16 - ZDI notified the vendor of plans to publish the 0-day advisory on 2024-08-30. 9. Mitigation: Due to the nature of the vulnerability, the only mitigation strategy is to restrict interaction with the application. 10. Disclosure Timeline: - 2024-04-24 - Vulnerability reported to vendor. - 2024-08-30 - Coordinated public vulnerability advisory released. - 2024-08-30 - Update advisory published. 11. Credit: Dmitry "InfoSecDJ" Janushkevich of Trend Micro Zero Day Initiative

Goal Reached Thanks to every supporter — we hit 100%!

Visteon Infotainment UPDATES_ExtractFile Command Injection RCE (CVE-2024-8358)