CVE-2024-37603
📋 TL;DR
A type confusion vulnerability exists in the user data import/export function of Mercedes Benz NTG 6 head units. Attackers with physical access to the vehicle's USB interface can cause the User-Data service to crash by sending specially crafted data. The service automatically restarts after failure, potentially causing temporary disruption to user data functionality.
💻 Affected Systems
- Mercedes Benz NTG (New Telematics Generation) 6 head units
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Repeated exploitation could lead to persistent denial-of-service for user data functions, potentially affecting infotainment system stability during critical driving scenarios.
Likely Case
Temporary disruption of user data import/export features when an attacker has physical USB access, with automatic service recovery minimizing sustained impact.
If Mitigated
Minimal impact with proper physical security controls preventing unauthorized USB access to the vehicle's head unit.
🎯 Exploit Status
Exploitation requires preparing malicious data files and physical USB access. No authentication bypass needed for the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific version information should be obtained from Mercedes Benz dealerships or official communications
Vendor Advisory: Not publicly available - contact Mercedes Benz directly for security advisories
Restart Required: Yes
Instructions:
1. Contact authorized Mercedes Benz dealership. 2. Schedule software update for NTG 6 system. 3. Technician will apply official firmware patch. 4. System restart required after update.
🔧 Temporary Workarounds
Physical USB Port Restriction
allDisable or physically secure USB ports to prevent unauthorized access
User Data Function Disable
allDisable user data import/export functionality if not required
🧯 If You Can't Patch
- Implement strict physical security controls for vehicle access
- Disable USB data transfer functionality through system settings
🔍 How to Verify
Check if Vulnerable:
Check NTG 6 system version through vehicle infotainment settings menu. Compare against latest patched version from Mercedes Benz.Check Version:
Navigate to: Settings > System > Software Information in NTG 6 interfaceVerify Fix Applied:
Verify software version after dealership update matches latest patched version. Test user data import/export functions with normal data.📡 Detection & Monitoring
Log Indicators:
- Repeated User-Data service crashes
- USB data import failures with malformed data patterns
Network Indicators:
- No network indicators - purely local USB-based attack
SIEM Query:
Not applicable - physical access attack with no network traffic