CVE-2024-8105

Sažetak

A vulnerability exists in UEFI implementations that use a hard-coded software-based Platform Key (PK). An attacker in possession of the corresponding PK private key can sign arbitrary UEFI executables or firmware components, causing them to be trusted by affected systems and potentially bypassing UEFI Secure Boot trust validation.

Reference

https://github.com/binarly-io/Vulnerability-REsearch/blob/main/PKfail/BRLY-2024-005.md
https://kb.cert.org/vuls/id/455367
https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2024-072412-Security-Notice.pdf
https://uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driver_Signing.html
https://www.binarly.io/advisories/brly-2024-005
https://www.gigabyte.com/us/Support/Security/2205
https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2024-07-25-001.html
https://www.supermicro.com/en/support/security_PKFAIL_Jul_2024
https://www.kb.cert.org/vuls/id/455367

CVSS

Base:	6.4
Impact:	5.9
Exploitability:	0.5

Pristup

Vektor	Složenost	Autentikacija
LOCAL	HIGH	HIGH

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

28-06-2026 - 21:16

Objavljeno

26-08-2024 - 20:15