CVE-2024-7726 in CM6info

Summary

by MITRE • 12/20/2024

There exists an unauthenticated accessible JTAG port on the Kioxia PM6, PM7 and CM6 devices - On the Kioxia CM6, PM6 and PM7 disk drives it was discovered that the 2 main CPU cores of the SoC can be accessed via an open JTAG debug port that is exposed on the drive’s circuit board. Due to the wide cutout of the enclosures, the JTAG port can be accessed without having to open the disk enclosure. Utilizing the JTAG debug port, an attacker with (temporary) physical access can get full access to the firmware and memory on the 2 main CPU cores within the drive including the execution of arbitrary code, the modification of firmware execution flow and data or bypassing the firmware signature verification during boot-up.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 12/20/2024

The vulnerability identified as CVE-2024-7726 represents a critical security flaw in Kioxia PM6, PM7, and CM6 solid state drives where an unauthenticated JTAG port remains accessible on the device's circuit board. This exposes the underlying system onchip controller architecture to unauthorized access, fundamentally undermining the security posture of enterprise storage solutions. The vulnerability stems from the design decision to leave the JTAG debug interface exposed externally, creating a persistent backdoor that can be exploited by attackers with physical access to the hardware. The exposed nature of this interface directly violates the principle of least privilege and represents a significant oversight in hardware security design.

The technical implementation of this vulnerability involves the direct exposure of two primary CPU cores within the system on chip architecture through a JTAG debug port that is physically accessible without requiring the removal of the disk enclosure. The wide cutout in the enclosure design eliminates any physical barrier that would normally prevent unauthorized access to this critical interface. This architectural flaw allows an attacker with temporary physical access to establish a direct connection to the SoC's debug interface, bypassing all standard security mechanisms and firmware protections. The JTAG interface provides comprehensive access to the memory space of both CPU cores, enabling full firmware inspection, code execution, and the ability to modify the boot process flow.

The operational impact of this vulnerability extends far beyond simple data compromise, as it enables complete system takeover and persistent control over the affected storage devices. Attackers can execute arbitrary code within the firmware environment, modify firmware execution flow to introduce backdoors or malicious behavior, and bypass firmware signature verification mechanisms during the boot process. This capability fundamentally undermines the integrity and authenticity guarantees that enterprise storage systems are expected to provide. The vulnerability creates a persistent threat vector that can be exploited to establish long-term control over storage infrastructure, potentially enabling data exfiltration, system corruption, or the deployment of malicious firmware modifications that survive system reboots.

The security implications of this vulnerability align with CWE-254, which addresses weaknesses in security features, and represents a clear violation of the principle of secure by design. From an ATT&CK framework perspective, this vulnerability maps to techniques involving system firmware modification and privilege escalation through physical access. Organizations utilizing these storage devices face significant risk of supply chain attacks, insider threats, and targeted physical security breaches. The vulnerability's exploitability through simple physical access without authentication makes it particularly dangerous in environments where physical security controls may be insufficient or compromised. Mitigation strategies should include hardware-level solutions such as JTAG port disablement, physical security measures, and firmware-level protections against unauthorized access to debug interfaces. However, the fundamental design flaw requires comprehensive re-evaluation of hardware security architectures to prevent similar vulnerabilities in future implementations.

This vulnerability demonstrates the critical importance of considering physical security aspects in hardware design and the need for comprehensive security testing that includes examination of debug and test interfaces. The exposed JTAG port represents a failure in the security by design approach, where security considerations are not properly integrated into the hardware development lifecycle. Organizations should implement strict physical security controls around storage infrastructure and conduct regular security assessments to identify similar vulnerabilities in other hardware components. The vulnerability also highlights the need for industry-wide standards and best practices regarding debug interface management in storage devices to prevent unauthorized access to critical system components.

Responsible

Google

Reservation

08/12/2024

Disclosure

12/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00395

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!