CVE-2023-34397
Published: 13 February 2025
Summary
CVE-2023-34397 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Mercedes-Benz Headunit Ntg6 Mercedes-Benz User Experience. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Service Exhaustion Flood (T1499.002); ranked in the top 44.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-34397 affects the Mercedes Benz head-unit NTG 6, which includes functions for importing or exporting profile settings over USB. The vulnerability arises during parsing of these settings, allowing an attacker to trigger a crash of the associated service, resulting in a denial-of-service condition. Classified under CWE-400 (Uncontrolled Resource Consumption), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity.
An unauthenticated attacker (PR:N) can exploit this over a network vector (AV:N) with low attack complexity and no user interaction required. Exploitation crashes the service, disrupting availability on the affected head-unit.
Mitigation details are outlined in the security research advisory at https://securelist.com/mercedes-benz-head-unit-security-research/115218/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38475
Vulnerability details
Mercedes Benz head-unit NTG 6 contains functions to import or export profile settings over USB. During parsing you can trigger that the service will be crashed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables service crash via resource exhaustion during profile parsing, mapping to Service Exhaustion Flood.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates profile settings inputs prior to parsing to prevent uncontrolled resource consumption and service crashes from malformed USB data.
Implements denial-of-service protections to limit effects of the parsing vulnerability that crashes the head-unit service.
Ensures error handling during profile parsing does not disclose information or lead to service denial-of-service crashes.