CVE-2024-30212

Microchip Harmony 3 Core library allows read and write access to RAM via a SCSI READ or WRITE command

Severity Score

7.0

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

If a SCSI READ(10) command is initiated via USB using the largest LBA
(0xFFFFFFFF) with it's default block size of 512 and a count of 1,

the first 512 byte of the 0x80000000 memory area is returned to the
user. If the block count is increased, the full RAM can be exposed.

The same method works to write to this memory area. If RAM contains
pointers, those can be - depending on the application - overwritten to

return data from any other offset including Progam and Boot Flash.

Si se inicia un comando SCSI READ(10) a través de USB utilizando el LBA más grande (0xFFFFFFFF) con su tamaño de bloque predeterminado de 512 y un recuento de 1, los primeros 512 bytes del área de memoria 0x80000000 se devuelven al usuario. Si se aumenta el número de bloques, toda la RAM puede quedar expuesta. El mismo método funciona para escribir en esta área de memoria. Si la RAM contiene punteros, estos se pueden sobrescribir, según la aplicación, para devolver datos de cualquier otro desplazamiento, incluidos Progam y Boot Flash.

*Credits: Fehr GmbH

CVSS Scores

Microchipv4 7.0

Attack Vector

Physical

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-26 CVE Reserved
2024-05-28 CVE Published
2024-06-12 EPSS Updated
2024-09-06 CVE Updated
2024-09-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

CAPEC-92: Forced Integer Overflow

References (3)

URL	Tag	Source
https://github.com/Microchip-MPLAB-Harmony/core/blob/master/release_notes.md	Release Notes

URL	Date	SRC
https://github.com/Fehr-GmbH/blackleak	2024-09-06

URL	Date	SRC
https://github.com/Microchip-MPLAB-Harmony/core/commit/d4608a4f1a140bd899cd4337cdbfb343a4339216	2024-06-11

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microchip Search vendor "Microchip"		MPLAB® Harmony 3 Core Module Search vendor "Microchip" for product "MPLAB® Harmony 3 Core Module"				>= 3.0.0 < 3.13.4 Search vendor "Microchip" for product "MPLAB® Harmony 3 Core Module" and version " >= 3.0.0 < 3.13.4"		en		Affected