CVE-2023-29113

Root

Cause

The MIB3 infotainment unit, used in Skoda and Volkswagen vehicles, does not implement any privilege separation for its proprietary inter-process communication (IPC) mechanism. This architectural flaw allows any process running on the system to communicate with other processes without being subject to the access control restrictions enforced at the operating system level. The vulnerability was originally discovered in a Skoda Superb III equipped with OEM part number 3V0035820 and verified on other units, including those from Volkswagen [1][2].

Exploitation

An attacker must first gain a presence within the infotainment system—for example, through a separate vulnerability, physical access, or malicious app installation. Once inside, the attacker can abuse the unrestricted IPC channel to interact with privileged services or data, effectively bypassing the OS-level sandboxing that is supposed to prevent such access [1]. No special privileges are required beyond initial system access.

Impact

Successful exploitation allows an attacker to undermine the intended access control restrictions, potentially leading to escalation of privileges, unauthorized access to sensitive vehicle data, or manipulation of infotainment functions. The impact is limited to the infotainment domain but could serve as a stepping stone for further attacks on connected vehicle systems [1][2].

Mitigation

The vulnerability affects a broad range of MIB3 units with specific OEM part numbers used across multiple Volkswagen Group models, including Skoda Karoq, Kodiaq, Superb, and Volkswagen Passat, Golf, Tiguan, among others [1][2]. As of the advisory publication, vendor updates were not yet widely available; owners and fleet operators are advised to monitor for firmware patches from Preh Car Connect GmbH (JOYNEXT GmbH) or their vehicle manufacturer. No workaround short of a software update is currently known.