CVE-2024-37602

Name of the Vulnerable Software and Affected Versions Mercedes Benz NTG (New Telematics Generation) versions 6 through 2021

Description An issue was discovered in the Apple Car Play function, which can cause a NULL pointer dereference. This issue affects NTG 6 head units. To exploit this, an attacker needs physical access to the Ethernet pins of the head unit base board. With a static IP address, the attacker can connect to the AirTunes / AirPlay service via the internal network. By sending prepared HTTP requests, the attacker can cause the Car Play service to fail.

Recommendations For Mercedes Benz NTG (New Telematics Generation) versions 6 through 2021, as a temporary workaround, consider disabling the Apple Car Play function until a patch is available. Restrict access to the AirTunes / AirPlay service to minimize the risk of exploitation. Avoid using the affected head units with static IP addresses until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.