CVE-2024-0762
📋 TL;DR
A buffer overflow vulnerability in Phoenix SecureCore UEFI firmware's variable handling allows attackers to execute arbitrary code with high privileges. This affects multiple Intel platforms from Kaby Lake to Meteor Lake. Exploitation could lead to persistent firmware-level compromise.
💻 Affected Systems
- Phoenix SecureCore for Intel platforms
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains persistent firmware-level control, enabling rootkit installation, bypassing OS security controls, and maintaining persistence across OS reinstalls.
Likely Case
Local attacker with physical or administrative access exploits the vulnerability to install firmware-level malware or bypass secure boot.
If Mitigated
With proper access controls and monitoring, exploitation requires physical or privileged access, limiting widespread impact.
🎯 Exploit Status
Exploitation requires physical access or administrative privileges. No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kaby Lake: 4.0.1.998; Coffee Lake: 4.1.0.562; Ice Lake: 4.2.0.323; Comet Lake: 4.2.1.287; Tiger Lake: 4.3.0.236; Jasper Lake: 4.3.1.184; Alder Lake: 4.4.0.269; Raptor Lake: 4.5.0.218; Meteor Lake: 4.5.1.15
Vendor Advisory: https://phoenixtech.com/phoenix-security-notifications/CVE-2024-0762/
Restart Required: Yes
Instructions:
1. Contact device manufacturer for BIOS/UEFI firmware update. 2. Download appropriate firmware update. 3. Apply update following manufacturer instructions. 4. Reboot system to complete installation.
🔧 Temporary Workarounds
Restrict physical access
allLimit physical access to vulnerable systems to prevent local exploitation
Implement secure boot
allEnable and properly configure secure boot to detect firmware tampering
🧯 If You Can't Patch
- Isolate vulnerable systems in secure network segments
- Implement strict access controls and monitoring for physical access
🔍 How to Verify
Check if Vulnerable:
Check BIOS/UEFI firmware version against affected ranges. Use manufacturer-specific tools or system information utilities.Check Version:
Windows: wmic bios get smbiosbiosversion; Linux: dmidecode -s bios-version; macOS: system_profiler SPHardwareDataType | grep "Boot ROM Version"Verify Fix Applied:
Verify firmware version matches or exceeds patched versions listed in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unexpected firmware update attempts
- Secure boot violations
- BIOS/UEFI configuration changes
Network Indicators:
- Unusual outbound connections from firmware management interfaces
SIEM Query:
EventID=12 OR EventID=13 (Windows System logs for firmware changes) OR secure boot violation logs🔗 References
- https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/
- https://news.ycombinator.com/item?id=40747852
- https://phoenixtech.com/phoenix-security-notifications/CVE-2024-0762/
- https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/
- https://news.ycombinator.com/item?id=40747852
- https://www.phoenix.com/security-notifications/cve-2024-0762/
