CVE-2024-45431

Name of the Vulnerable Software and Affected Versions: OpenSynergy BlueSDK (aka Blue SDK) versions through 6.x

Description: The BlueSDK Bluetooth stack contains an Improper Input Validation flaw. The issue stems from insufficient validation of the remote L2CAP channel ID (CID). An attacker can exploit this to create an L2CAP channel using the null identifier as a remote CID. This chain of flaws allows for remote code execution via infotainment systems, confirmed in vehicles such as Mercedes-Benz, VW, and Skoda. Successful exploitation can grant access to GPS data, audio, and contacts, and potentially allow pivoting to core systems. It is estimated that millions of vehicles are impacted.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.