CVE-2024-8358 is a vulnerability classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) affecting Visteon Infotainment systems, specifically the cmu150_NA_74.00.324A version. The flaw exists in the UPDATES_ExtractFile function, which processes software update files. An attacker with physical access can supply a crafted update file containing malicious input that is improperly sanitized before being used in a system call. This leads to OS command injection, allowing arbitrary code execution with the privileges of the infotainment system. No authentication or user interaction is required, increasing the risk if physical access is obtained. The vulnerability was assigned CVE-2024-8358 and published on November 22, 2024. The CVSS v3.0 score of 6.8 reflects a medium severity with high impact on confidentiality, integrity, and availability, but the attack vector is physical access, which limits remote exploitation. No public exploits or patches are currently available, but the vulnerability was reported by the Zero Day Initiative (ZDI) under ZDI-CAN-23422. This vulnerability could be leveraged to compromise vehicle infotainment systems, potentially impacting vehicle security and user privacy.

The primary impact of CVE-2024-8358 is the potential for an attacker with physical access to execute arbitrary code on affected Visteon Infotainment systems. This could lead to unauthorized control over the infotainment device, exposing sensitive user data such as navigation history, contacts, or media files. Additionally, compromised infotainment systems might serve as a pivot point for further attacks on vehicle networks, potentially affecting vehicle safety features or other connected systems. The integrity and availability of the infotainment system could be disrupted, causing denial of service or malicious behavior. Although remote exploitation is not possible without physical access, the widespread use of Visteon systems in vehicles globally means that attackers with physical proximity (e.g., valet services, repair shops, or malicious insiders) could exploit this vulnerability. This poses risks to user privacy, vehicle security, and brand reputation for automotive manufacturers using these infotainment units.

1. Restrict physical access to vehicles equipped with affected Visteon Infotainment systems, especially in high-risk environments such as valet parking, repair shops, or fleet management. 2. Monitor and control the source and integrity of software update files to ensure only trusted and verified updates are applied. Implement cryptographic signature verification for update files if not already in place. 3. Deploy network segmentation within the vehicle to isolate the infotainment system from critical vehicle control networks, limiting potential lateral movement if compromised. 4. Work with Visteon and automotive OEMs to obtain and apply security patches or firmware updates addressing this vulnerability as soon as they become available. 5. Conduct regular security assessments and penetration testing on vehicle infotainment systems to identify and remediate similar vulnerabilities proactively. 6. Educate vehicle users and service personnel about the risks of unauthorized physical access and the importance of update file integrity. 7. Implement runtime application self-protection (RASP) or intrusion detection mechanisms within the infotainment system to detect anomalous command execution attempts.