Read time:00:07
Release date:7.7.2025
Product: OpenSynergy BlueSDK
Affected versions: N/A
Fixed versions: N/A
Severity: Critical
CVE numbers: CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, CVE-2024-45434
Authors: Mikhail Evdokimov (PCA)
Download this advisory: PDF
Visit PerfektBlue webpage: https://perfektblue.pcacybersecurity.com
PRODUCT DESCRIPTION
OpenSynergy Bluetooth Protocol Stack (BlueSDK) currently provides A2DP, AVRCP, VDP, BIP, BPP, CTN, FTP, GPP, HFP, HSP, HCRP, HDP, HID, MAP, OPP, PAN, PBAP, SAP, DUN, FAX, DID, GATT profiles. It is licensed by the Bluetooth Special Interest Group (SIG). Bluetooth Software Development Kit (Blue SDK) can easily be integrated into any operating system. It supports both BR/EDR (Classic) and Low Energy operations, classic profiles and low energy profiles use the same underlying protocol stack software.
BlueSDK is a popular embedded Bluetooth stack used in the automotive industry, therefore many automotive products on the market may be affected by the identified vulnerabilities.
PCA Team didn’t have access to the source code of BlueSDK product and performed analysis of a compiled BlueSDK-based bluetooth executable located on the testing device.
SUMMARY
PCA Security Assessment Team identified multiple vulnerabilities with low-to-critical severity, allowing an attacker to obtain 1-click Remote Code Execution (RCE) in the operating system of a device which utilizes BlueSDK Bluetooth stack. In this level of access, an attacker could manipulate the system, escalate privileges and perform lateral movement to other components of the target product.
BlueSDK implementation supports various security levels on incoming connections from remote devices. It’s the responsibility of an end developer to select an appropriate authorization security level for a target Bluetooth profile.
The vulnerabilities on testing devices PCA Team used for vulnerability research and verification, were accessible after pairing. However, those vulnerabilities may potentially be available before pairing process on some devices utilizing BlueSDK, as this highly depends on the implementation chosen by the end developer (either by profile security level or “Just Works” SSP mode).
| CVE ID | Description | CVSS 3.1 score |
|---|---|---|
Use-After-Free in AVRCP service | 8.0 (Critical) | |
Improper validation of an L2CAP channel's remote CID | 3.5 (Low) | |
Incorrect function termination in RFCOMM | 5.7 (Medium) | |
Function call with incorrect parameter in RFCOMM | 5.7 (Medium) |
DISCLOSURE TIMELINE
| Date | Description |
|---|---|
17/05/2024 | First contact of OpenSynergy Security Team |
24/05/2024 | Exchange of public keys. Advisory sent to psec@opensynergy.com |
12/06/2024 | OpenSynergy confirmed receipt of the report |
19/06/2024 | PCA confirmed PerfektBlue presence in ICAS3 infotainment. Verified on Volkswagen ID.4. Volkswagen incident response team was informed |
10/07/2024 | Follow-up from PCA Security Assessment Team to OpenSynergy |
15/07/2024 | OpenSynergy confirmed the vulnerabilities, and informed PCA about working on the patches |
30/08/2024 | CVE numbers were reserved through MITRE |
09/2024 | According to OpenSynergy, patches were ready |
31/10/2024 | PCA confirmed PerfektBlue presence in MIB3 by Preh Car Connect. Verified on Skoda Superb 3. Volkswagen incident response team was informed |
31/10/2024 | PCA shared public advisory with OpenSynergy for review. Disclosure scheduled for 2025 to give vendors & suppliers enough time to patch |
05/11/2024 | PCA confirmed PerfektBlue presence in Mercedes NTG6 IVI. Confirmed on NTG6 test bench. Mercedes security team was informed |
09/11/2024 | OpenSynergy provides feedback for the advisory |
19/03/2025 | PCA shares text of the PerfektBlue website perfektblue.pcacybersecurity.com with OpenSynergy for review. |
06/06/2025 | PCA confirmed PerfektBlue presence in multiple vehicles of undisclosed OEM. Their secuirty team was informed. |
10/06/2025 | Publication of the website and the advisory scheduled for 2nd of July. PCA informed OpenSynergy about the publicataion date |
23/06/2025 | Undisclosed OEM informed PCA that they didn't received vulnerability notice and patch from their supply chain. PCA proceeds with publication without disclosing the OEM |
07/07/2025 | This advisory becomes public to raise awareness about the attack chain among OEMs, suppliers, and product users |
PCA would like to note that OpenSynergy freely communicated with us and handled our disclosure promptly.
According to OpenSynergy, patches were rolled out in September 2024. However, not all OEMs received the patch till June 2025. This could have probably been caused by long and complex vehicle supply chains.
TECHNICAL DETAILS
CVE-2024-45434: Use-After-Free In AVRCP
The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the lack of validating the existence of an object prior to performing operations on the object (UAF). An attacker can leverage this vulnerability to obtain remote code execution in the context of a user from whom the Bluetooth process is running.
CVE-2024-45431: Improper validation of a L2CAP channel's remote CID
The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the lack of proper validation of remote L2CAP channel ID (CID). An attacker can leverage this vulnerability to create a L2CAP channel with the null identifier assigned as a remote CID.
CVE-2024-45433: Incorrect function termination in RFCOMM
The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the lack of proper return control flow after detected an unusual condition. An attacker can leverage this vulnerability to bypass a security validation and make the incoming data to be processed.
CVE-2024-45432: Function call with incorrect parameter in RFCOMM
The specific flaw exists within BlueSDK Bluetooth stack. The issue results from the incorrect variable used as a function argument. An attacker can leverage this vulnerability to cause unexpected behavior or obtain information leak.
AFFECTED VENDORS
Public resources containing Bluetooth certification information were used to identify vendors and products using BlueSDK framework. Therefore, identified vendors/products are potentially affected. Moreover, vulnerabilities were confirmed on 4 in-vehicle infotainment units of different manufacturers.
The following table is a non-extensive list of affected vendors:
| Vendor | Comments |
|---|---|
| Mercedes-Benz AG | Affected |
| Volkswagen | Affected |
| Skoda | Affected |
| Undisclosed OEM | Affected |
In addition to the already mentioned vendors, a lot of others, including vendors outside of automotive industry, are also likely vulnerable to this attack.
Mercedes-Benz: Proof of Exploitation
PCA Team performed proof-of-concept exploitation on Mercedes-Benz NTG6 head unit. It's important to note this is one of many vulnerable Mercedes-Benz head units. Lower and upper (up-to-date) firmware versions are likely to be exploitable as well. The latest-generation head unit model, NTG7, (with up-to-date firmware) may also be affected - it uses BlueSDK as Bluetooth stack.
Information about the testing device is the following:
| Vendor | IVI Part Number | Firmware Version | Firmware Release Date |
|---|---|---|---|
Mercedes-Benz | A 253 900 69 05 / 001 | apilevel/ntg6/080 | ~2020-2021 |
Below is the demonstration of the reverse shell obtained on top of TCP/IP after successfull Bluetooth exploitation. As you can see, the Bluetooth process is launched with phone user permissions.
Volkswagen: Proof of Exploitation
PCA Team used Volkswagen MEB ICAS3 head unit for exploitation verification. The mentioned head unit is installed on Volkswagen ID model line. It's important to note this is one of many vulnerable Volkswagen head units. Lower and upper (up-to-date) firmware versions are likely to be exploitable as well.
Information about the testing device is the following:
| Vendor | IVI Part Number | Firmware Version | Firmware Release Date |
|---|---|---|---|
Volkswagen | 10A035816E | 0792 (ID software version: 2.1) | Q1 2021 |
Volkswagen | 10A035816J | 0561 (ID software version: 3.2.12) | Dec. 2023 |
The exploit verification was conducted for 0561 and 0792 firmware versions. Below is the demonstration of the reverse shell obtained on top of TCP/IP after successfull Bluetooth exploitation (on 0561 firmware version). As you can see, the Bluetooth process is launched with sint_sec_btapp user permissions.
Skoda: Proof of Exploitation
PCA Team used Skoda MIB3 head unit for exploitation verification. The mentioned head unit is installed on Skoda Superb model line and some Volkswagen model lines. It's important to note this is one of many vulnerable Skoda head units. Lower and upper (up-to-date) firmware versions are likely to be exploitable as well.
Information about the testing device is the following:
| Vendor | IVI Part Number | Firmware Version | Firmware Release Date |
|---|---|---|---|
Skoda | 3V0035820J | MIB3 0304 | ~2022 |
Below is the demonstration of the reverse shell obtained on top of TCP/IP after successfull Bluetooth exploitation. As you can see, the Bluetooth process is launched with phone user permissions.
CREDITS
PCA Security Assessment team:
- Abdellah Benotsmane
- Aleksei Stennikov
- Artem Ivachev
- Danila Parnishchev
- Mikhail Evdokimov
- Polina Smirnova
- Radu Motspan
Latest Advisories
November 22, 2023
Popular tags
security advisory
skoda
pcautomotive
nissan
vehicle penetration testing
bosch
infotainment system vulnerability
vw
mib3 infotainment unit
preh car connect gmbh
Credits
Mikhail Evdokimov
Senior Security Researcher