CVE-2023-34404

Name of the Vulnerable Software and Affected Versions Mercedes-Benz head-unit NTG6

Description The issue is related to the Mercedes-Benz head-unit NTG6, which has Ethernet pins on the Base Board to connect the module CSB. An attacker can connect to these pins and gain access to the internal network. By accessing a specific port, an attacker can send a call request to all registered services in the router, achieving command injection. Additionally, there is a vulnerability in the NWS PF setMacAddrExceptionIP handler of the NetworkingService in the Mercedes-Benz User Experience (MBUX) multimedia system, related to insufficient input validation when processing MAC addresses, which can allow an attacker to execute arbitrary commands.

Recommendations For Mercedes-Benz head-unit NTG6, consider restricting access to the Ethernet pins on the Base Board to prevent unauthorized connections to the internal network. As a temporary workaround, consider disabling the NWS PF setMacAddrExceptionIP handler function in the NetworkingService until a patch is available. Avoid using the specific port that allows an attacker to send a call request to all registered services in the router until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.