CVE-2023-34402
📋 TL;DR
This vulnerability in Mercedes-Benz NTG6 head units allows attackers to write arbitrary files with speech service privileges by exploiting insufficient validation when importing profile settings via USB. Attackers could potentially execute code or modify system files. Affected users are those with vulnerable Mercedes-Benz vehicles equipped with NTG6 infotainment systems.
💻 Affected Systems
- Mercedes-Benz vehicles with NTG6 head unit
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the head unit system leading to arbitrary code execution, potential vehicle control manipulation, or data exfiltration from connected devices.
Likely Case
Local privilege escalation allowing modification of system files, installation of malicious software, or disruption of infotainment functions.
If Mitigated
Limited to denial of service on the infotainment system if proper USB port controls are implemented.
🎯 Exploit Status
Requires crafting malicious profile file and physical USB access to vehicle. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific firmware update from Mercedes-Benz
Vendor Advisory: https://securelist.com/mercedes-benz-head-unit-security-research/115218/
Restart Required: No
Instructions:
1. Contact authorized Mercedes-Benz dealer 2. Schedule firmware update for NTG6 head unit 3. Apply latest firmware patch from Mercedes-Benz
🔧 Temporary Workarounds
Disable USB profile import
allDisable the profile import/export feature in vehicle settings
Navigate to Settings > System > Profile Management > Disable USB Import
USB port restriction
allPhysically block or disable USB ports when not in use
🧯 If You Can't Patch
- Disable USB profile import feature in vehicle settings
- Educate users to never insert unknown USB devices
- Implement physical security controls for USB ports
🔍 How to Verify
Check if Vulnerable:
Check if USB profile import feature is enabled and system hasn't received latest firmware update from Mercedes-BenzCheck Version:
Navigate to Settings > System Information > Software VersionVerify Fix Applied:
Verify firmware version matches latest Mercedes-Benz security update and test USB profile import with safe test file📡 Detection & Monitoring
Log Indicators:
- Multiple failed profile import attempts
- Unusual file write operations by speech service
- USB device insertion events with profile files
Network Indicators:
- Unusual USB device enumeration patterns
SIEM Query:
Search for 'profile import failed' OR 'USB import error' in vehicle system logs