CVE-2024-8105 | HackTesting

A vulnerability exists in UEFI implementations that use a hard-coded software-based Platform Key (PK). An attacker in possession of the corresponding PK private key can sign arbitrary UEFI executables or firmware components, causing them to be trusted by affected systems and potentially bypassing UEFI Secure Boot trust validation.

Credits

Binarly Research team

References

https://uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driver_Signing.html

https://www.binarly.io/advisories/brly-2024-005

https://kb.cert.org/vuls/id/455367

https://github.com/binarly-io/Vulnerability-REsearch/blob/main/PKfail/BRLY-2024-005.md

https://www.supermicro.com/en/support/security_PKFAIL_Jul_2024

https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2024-07-25-001.html

https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FJ-ISS-2024-072412-Security-Notice.pdf

https://www.gigabyte.com/us/Support/Security/2205