Volkswagen and Skoda MIB3 Infotainment Lack of Privilege Separation in IPC Mechanism Vulnerability

A vulnerability exists in the MIB3 infotainment units of Volkswagen and Skoda vehicles, specifically in models manufactured by Preh Car Connect GmbH. This vulnerability arises from the absence of privilege separation in the proprietary inter-process communication (IPC) mechanism used for remote procedure calls between services on the R-CAR M3 System-on-Chip. As a result, attackers with system presence can exploit this flaw to bypass access control restrictions at the operating system level. The vulnerability was confirmed in a Skoda Superb III vehicle with the MIB3 infotainment unit OEM part number 3V0035820, and it also affects various Volkswagen models with different OEM part numbers.

Impact

Exploitation of this vulnerability allows for unauthorized access to IPC services, potentially leading to privilege escalation and execution of arbitrary commands in the context of the targeted service.

Reproduction

The vulnerability can be reproduced by initializing the custom IPC mechanism from a process that lacks the necessary privileges. Once the IPC is active, remote procedures can be called on behalf of the process, bypassing access controls.