UEFI Vulnerability Due to Insecure Platform Key
CVE-2024-8105

Currently unrated

Key Information:

Vendor

Acer

Status
Vz2694g
Aspire S 27
Aspire S32-1856
Aspire Xc-1710
Vendor
CVE Published:
26 August 2024

What is CVE-2024-8105?

A significant vulnerability has been identified related to the use of compromised Platform Key (PK) within UEFI firmware. Attackers who gain access to the compromised PK private key can potentially create and deploy malicious UEFI software, which can subsequently be signed with a trusted key, allowing it to bypass security mechanisms. This exploitation poses a considerable threat to system integrity and security, enabling unauthorized access and control over affected devices. Various vendors, including Intel, Supermicro, Fujitsu, and Gigabyte, are impacted, highlighting the need for immediate attention to firmware security practices.

Affected Version(s)

aio-300-22isu a6b6a2940a5f4c98e2f531624707fd8ab7dc61f4b3d3de0457fe00ba3cc5c135

aio-510-22asr 47affcc25ded66333920985902473398438b49dac28be82542062ddabffec3c8

alienware-13 fe9e2b75babda09ba22a3e99494198e125188d9345bda2b961f10e98e6c2b784

References

https://uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driv...
producttechnical-description
https://www.binarly.io/advisories/brly-2024-005
technical-description
https://kb.cert.org/vuls/id/455367
third-party-advisory

Timeline

  • Vulnerability published

Credit

Binarly Research team
.