Lucene search

INCDCVE-2024-38433

HistoryJul 11, 2024 - 8:15 a.m.

CVE-2024-38433

2024-07-1108:15:10

CWE-305

CWE-287

INCD

web.nvd.nist.gov

nuvoton bootblock

authentication bypass

flash modification

arbitrary code executio

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.3%

JSON

Nuvoton - CWE-305: Authentication Bypass by Primary Weakness

An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock

reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code

execution.

Affected configurations

Nvd

Node

nuvotonnpcm750r_firmwareRange<10.10.19

AND

nuvotonnpcm750rMatch-

Node

nuvotonnpcm710r_firmwareRange<10.10.19

AND

nuvotonnpcm710rMatch-

Node

nuvotonnpcm730r_firmwareRange<10.10.19

AND

nuvotonnpcm730rMatch-

Node

nuvotonnpcm705r_firmwareRange<10.10.19

AND

nuvotonnpcm705rMatch-

VendorProductVersionCPE
nuvotonnpcm750r_firmware*cpe:2.3:o:nuvoton:npcm750r_firmware:*:*:*:*:*:*:*:*
nuvotonnpcm750r-cpe:2.3:h:nuvoton:npcm750r:-:*:*:*:*:*:*:*
nuvotonnpcm710r_firmware*cpe:2.3:o:nuvoton:npcm710r_firmware:*:*:*:*:*:*:*:*
nuvotonnpcm710r-cpe:2.3:h:nuvoton:npcm710r:-:*:*:*:*:*:*:*
nuvotonnpcm730r_firmware*cpe:2.3:o:nuvoton:npcm730r_firmware:*:*:*:*:*:*:*:*
nuvotonnpcm730r-cpe:2.3:h:nuvoton:npcm730r:-:*:*:*:*:*:*:*
nuvotonnpcm705r_firmware*cpe:2.3:o:nuvoton:npcm705r_firmware:*:*:*:*:*:*:*:*
nuvotonnpcm705r-cpe:2.3:h:nuvoton:npcm705r:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nuvoton	npcm750r_firmware	*	cpe:2.3:o:nuvoton:npcm750r_firmware::::::::
nuvoton	npcm750r	-	cpe:2.3:h:nuvoton:npcm750r:-:::::::*
nuvoton	npcm710r_firmware	*	cpe:2.3:o:nuvoton:npcm710r_firmware::::::::
nuvoton	npcm710r	-	cpe:2.3:h:nuvoton:npcm710r:-:::::::*
nuvoton	npcm730r_firmware	*	cpe:2.3:o:nuvoton:npcm730r_firmware::::::::
nuvoton	npcm730r	-	cpe:2.3:h:nuvoton:npcm730r:-:::::::*
nuvoton	npcm705r_firmware	*	cpe:2.3:o:nuvoton:npcm705r_firmware::::::::
nuvoton	npcm705r	-	cpe:2.3:h:nuvoton:npcm705r:-:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "NPCM7xx (Poleg) BootBlock",
    "vendor": "Nuvoton",
    "versions": [
      {
        "lessThan": "v10.10.19",
        "status": "affected",
        "version": "All versions",
        "versionType": "custom"
      }
    ]
  }
]

References

www.gov.il/en/Departments/faq/cve_advisories

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.3%

JSON

Related for CVE-2024-38433