Bosch Infotainment ECU Vulnerability in Nissan Leaf ZE1 Allowing Remote Code Execution on RH850 Module

A stack overflow vulnerability has been identified in the Infotainment ECU of the Nissan Leaf ZE1, manufactured in 2020. This vulnerability occurs in the RH850 module during the processing of requests over the INC interface, which uses a custom protocol for CAN communication. An attacker with code execution on the Infotainment's main SoC can exploit this vulnerability to execute code on the RH850 module and send arbitrary CAN messages over the connected CAN bus. The issue was first discovered in a Nissan Leaf ZE1 from 2020.

Impact

Exploitation of this vulnerability allows for remote code execution on the RH850 module, which can then be used to send arbitrary messages over the CAN bus, potentially interfering with vehicle operations.

Reproduction

The vulnerability can be reproduced by sending a crafted signal message over the INC interface's NET_BROADCAST_PORT. This can be done using the official Nissan application, which may trigger the vulnerability without user awareness.