Vulnerability In Volkswagen Discover Media: Automaker Steps In


A vulnerability in the Volkswagen Discover Media Infotainment System can allow it to be target of a Denial of Service (DoS) attack on an unpatched system. The vulnerability in the Volkswagen Discover Media system CVE-2023-34733 was notified by a user to Volkswagen that later investigated the same.

Details about the vulnerability in Volkswagen Discover Media

The vulnerability in the Volkswagen Discover Media infotainment system was discovered on February 28, 2023, according to a GitHub report. The model used by the individual who discovered and reported the vulnerability was Volkswagen Jetta 2021.

The medium severity bug in Volkswagen had a base score of 6.8, according to a NIST report.

(Photo: GitHub)

The user connected their laptop to the Volkswagen USB port and generated media files with a fuzzer. They performed fuzzing to find out more about the vulnerability in Volkswagen Discover Media. This was done on media files including MP3, WMA, WAV, etc.

Vulnerability In Volkswagen Discover Media: Automaker Steps In

“Since Volkswagen’s media player was more robust than expected, I created a separate media file fuzzer specifically for Volkswagen’s infotainment system. I fuzzed more than 20,000 media files per day, and discovered the vulnerability in the OGG file after one day of fuzzing,” the user wrote on GitHub addressing how they fuzzed to have a clear idea about the Volkswagen infotainment system vulnerability.

They identified a media file through fuzzing that led to the triggering of the vulnerability in Volkswagen Discover media. This also resulted in the Volkswagen infotainment system not turning on after turning it off.

The issue was addressed by manually rebooting the Volkswagen infotainment system to resolve the issue by turning it on again. “When a USB is inserted into the port, the media file is automatically played and the Infotainment System is forcibly terminated,” the GitHub page added.

It was observed that such a vulnerability in Volkswagen Discover media could result in security issues such as remote code execution.

Response from Volkswagen about the vulnerability in Discover media software

After receiving this report from the user, the German vehicle giant responded with confirmation about the vulnerability.

vulnerability in Volkswagen Discover Media
Screenshot of reply from Volkswagen to the user (Photo: GitHub)

The company had the vulnerability in the Volkswagen infotainment system analyzed by its incident response team and later by the Research & Development department. They confirmed to the user named ‘zj3t’ in the email screenshot above that the vulnerability in Volkswagen was a topic of product quality, and it was in need of improvement.

The vulnerability in Volkswagen Discover Media was found in Volkswagen Discover Media Infotainment System software version 0876.

What is fuzzing and how it helps understand vulnerabilities

The vulnerability in Volkswagen in Discover media software was further understood using the fuzzing method. It is an automated testing mechanism that injects malformed inputs into the system. This is to understand the vulnerability in the software.

Fuzz testing involves injecting invalid inputs to monitor the occurrence of a crash or data leak as a result. This shows the gaps in the system that must be addressed.

Fuzzing is also a technique used by hackers to exploit available vulnerabilities in software. Fuzzing is a low-cost testing mechanism that offers swifter results. Researchers must use more advanced fuzzers to detect vulnerabilities better than going for open-source fuzzers. Advanced fuzzers provide a more thorough test coverage of where and when the bug triggers.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link