CVE-2024-8355 identifies a critical SQL Injection vulnerability in the DeviceManager module of the Visteon Infotainment system, version 74.00.311A. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89) when processing the iAP Serial Number input. This input is not properly sanitized before being incorporated into SQL queries, allowing an attacker to inject arbitrary SQL code. Exploitation does not require authentication or user interaction but does require physical access to the vehicle's infotainment system. Successful exploitation enables execution of arbitrary code with root privileges, potentially compromising the entire system. The vulnerability was assigned by ZDI (ZDI-CAN-20112) and published on November 22, 2024, with a CVSS v3.0 base score of 6.8 (medium severity). The attack vector is physical (AV:P), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No patches have been released yet, and no known exploits are reported in the wild. The vulnerability poses a significant risk to vehicle security, potentially allowing attackers to gain root-level control over the infotainment system, which could be leveraged for further attacks on vehicle systems or data exfiltration.

The impact of CVE-2024-8355 is substantial for organizations and individuals relying on Visteon Infotainment systems. Successful exploitation can lead to full compromise of the infotainment system with root privileges, threatening the confidentiality, integrity, and availability of the system. This could allow attackers to manipulate vehicle functions, access sensitive user data, or use the compromised system as a pivot point for further attacks on connected vehicle networks. The requirement for physical access limits remote exploitation but does not eliminate risk, especially in scenarios such as vehicle servicing, rentals, or theft. The vulnerability could undermine consumer trust and lead to regulatory scrutiny for automotive manufacturers and suppliers. Additionally, the lack of a patch increases exposure time, necessitating immediate mitigation efforts to reduce risk.

Given the absence of an official patch, organizations should implement the following mitigations: 1) Restrict physical access to vehicles equipped with the affected Visteon Infotainment system, especially in high-risk environments such as fleet vehicles or rental cars. 2) Employ physical security controls such as locking mechanisms or surveillance to prevent unauthorized access to the infotainment interface. 3) Monitor infotainment system logs for unusual activity or unexpected input patterns that may indicate attempted exploitation. 4) Coordinate with Visteon and vehicle manufacturers to obtain updates or firmware patches as soon as they become available. 5) Educate vehicle users and maintenance personnel about the risks of connecting unknown devices or cables to the infotainment system. 6) Consider network segmentation within the vehicle to isolate the infotainment system from critical vehicle control systems, limiting potential lateral movement. 7) For organizations managing large fleets, implement inventory tracking of affected infotainment versions and prioritize vehicles for inspection or temporary decommissioning until mitigations or patches are applied.