CVE-2024-37602 in NTG
Summary
by MITRE • 02/14/2025
An issue was discovered in Mercedes Benz NTG (New Telematics Generation) 6 through 2021. A possible NULL pointer dereference in the Apple Car Play function affects NTG 6 head units. To perform this attack, physical access to Ethernet pins of the head unit base board is needed. With a static IP address, an attacker can connect via the internal network to the AirTunes / AirPlay service. With prepared HTTP requests, an attacker can cause the Car Play service to fail.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/01/2025
The vulnerability identified as CVE-2024-37602 represents a critical security flaw within Mercedes Benz NTG 6 telematics systems spanning from 2021 model years. This issue manifests as a potential NULL pointer dereference condition within the Apple CarPlay implementation, specifically affecting head unit hardware that operates under the NTG 6 platform architecture. The vulnerability is particularly concerning due to its exposure through the vehicle's internal network infrastructure, making it accessible to attackers who can establish physical access to the vehicle's Ethernet pin connections on the head unit base board.
The technical exploitation of this vulnerability requires an attacker to gain physical access to the vehicle's internal Ethernet pins, which provides a direct pathway to the head unit's network interface. Once physical access is established, attackers can configure their attacking machine with a static IP address to establish network connectivity with the vehicle's internal network. This connection point allows for access to the AirTunes and AirPlay services that are integral components of the CarPlay functionality. The attack vector specifically leverages prepared HTTP requests that are designed to trigger the NULL pointer dereference condition within the CarPlay service implementation, causing the service to crash or fail entirely.
The operational impact of this vulnerability extends beyond simple service disruption, as it fundamentally compromises the reliability and safety of the vehicle's infotainment system. When the CarPlay service fails, drivers lose access to critical connectivity features including navigation, music streaming, and phone integration capabilities that are increasingly essential for modern vehicle operation. This failure mode creates potential safety concerns as drivers may be forced to use their mobile devices manually rather than through the integrated system, increasing distraction levels during driving operations. The vulnerability also represents a significant concern from a cybersecurity perspective as it demonstrates a potential pathway for more sophisticated attacks that could leverage this initial compromise to access other vehicle systems.
This vulnerability aligns with CWE-476, which specifically addresses NULL pointer dereference conditions in software implementations. The attack methodology follows patterns consistent with the ATT&CK framework's technique T1059 for command and control communications, as the attacker establishes network connectivity to execute malicious HTTP requests against the target system. The requirement for physical access to Ethernet pins places this vulnerability in the category of attack vectors that require a specific physical security posture, though this access point represents a significant risk given that automotive systems increasingly rely on network connectivity for both functionality and security features. The specific targeting of the AirPlay service within the CarPlay implementation indicates that the vulnerability exists in the service's handling of network requests and its memory management during service operation.
The mitigation strategy for this vulnerability requires immediate implementation of network segmentation and access controls to prevent unauthorized physical access to vehicle Ethernet interfaces. Vehicle manufacturers should implement firmware updates that properly handle NULL pointer conditions within the CarPlay service, ensuring that all input validation occurs before memory operations are performed. Additionally, network monitoring should be deployed to detect anomalous HTTP request patterns that might indicate exploitation attempts. The solution approach should follow industry standards for automotive cybersecurity including ISO/SAE 21434 and SOTIF (Safety of the Intended Functionality) principles to ensure comprehensive protection against similar vulnerabilities in vehicle telematics systems. Regular security assessments of vehicle network interfaces and service implementations should be conducted to identify and remediate similar memory management issues that could compromise vehicle system integrity and driver safety.