CVE-2024-36877 - Write-What-Where Vulnerability in MSI Z-Series and B-Series Motherboards Exposes Millions of PCs

CVE-2024-36877 uncovers a critical vulnerability affecting a huge number of Micro-Star International (MSI) motherboards in both Z-series (Z590, Z490, Z790) and B-series (B760, B560, B660, B460) lines. This write-what-where flaw—found in the SW handler for System Management Interrupt (SMI) xE3—impacts firmware versions 7D25v14, 7D25v17 to 7D25v19, and 7D25v1A to 7D25v1H. The issue isn’t exclusive to just a handful of boards: this bug extends to machines using Intel chipsets from the 300 to 700 families and AMD chipsets from the 300 up through the 700 series. That’s practically every major mainstream motherboard sold in the last decade.

This exclusive post will break down what the vulnerability is, why it’s dangerous, who’s most at risk, and how an attack could really go down—including some code snippets for those who want a closer look.

What Happened?

Researchers found that a routine in the firmware—specifically, the SW handler for SMI xE3—does not properly check or restrict memory writes. This leads to a write-what-where condition, where an attacker can tell the firmware both *what* value to write and *where* to write it. This opens the door to full system compromise if exploited from the operating system, or potentially even via remote attacks using a second vulnerability.

What’s a Write-What-Where Bug?

A *write-what-where* is one of the most dangerous types of vulnerabilities in low-level software. If an attacker can tell the SMI handler both *what* data to write—and *where* in memory to place it—they can overwrite security settings, inject persistent malware (like rootkits), or even disable the motherboard entirely.

The SMI (System Management Interrupt) is handled by the system's firmware outside the visibility of the rest of the OS. This is supposed to be a super-trusted computing environment. If it’s compromised, the attacker can do just about anything to your machine, often in ways you can’t even see, and which persist between reboots.

Deep Dive: The Dangerous Code Snippet

Based on research and the patterns common to these kinds of firmware bugs, the vulnerable code often looks like this (in pseudocode, since we don’t have actual private MSI source):

// Pseudocode. SmmSwHandler for SMI xE3
void HandleSwSmiE3(UINTN *Buffer) {
    UINTN What = Buffer[];
    UINTN Where = Buffer[1];
    *(UINTN*)Where = What;       // <-- Not checked: attacker controls both fields!
}

What’s wrong here?
There’s no validation or filtering of either parameter. If malware submits an SMI request to the SW handler for xE3 with malicious What/Where values, it can force the SMM environment to write any value (like a pointer to a payload) anywhere in memory, including protected kernel or SMM memory regions.

Exploit Scenario: What Could Go Wrong?

Let’s say an attacker has already gotten regular admin privileges in Windows or Linux on the target PC (via phishing or a prior exploit). Now they can trigger the SMI xE3 handler, passing in:

The attack could look like this from userspace (simplified, concept only)

import ctypes
# Define SMI communication structure
smi_buf = (ctypes.c_uint64 * 2)()
smi_buf[] = shellcode_address    # What to write (address of attacker code)
smi_buf[1] = target_ptr_address   # Where to write (to overwrite SMM handler, kernel variable, etc.)

# Use a device driver to trigger the SMI (device-specific details omitted)
trigger_smi(xE3, ctypes.addressof(smi_buf))

With a single call, persistent rootkit code could be injected into the system firmware, invisible to antivirus and almost impossible to remove without special tools.

Proof-of-Concept and Further Reading

Currently, working proof-of-concept (PoC) exploits have been developed but are not public, due to the danger these pose. However, vulnerability researchers have demonstrated end-to-end exploitation that leads to full SMM code execution on affected boards.

Technical Analysis

- Binarly Blog: MSI Firmware Contains SMM Write-What-Where
- MITRE CVE-2024-36877
- Eclypsium blog: Breaking UEFI Security

Anyone running an MSI Z590, Z490, Z790, B760, B560, B660, or B460 motherboard

- Users of both Intel and AMD systems across the 300/400/500/600/700 chipsets, as listed above

What Should You Do?

- Check for BIOS/firmware updates from MSI as soon as possible.
- MSI downloads: https://www.msi.com/support
- If you cannot update, consider strictly limiting access to your computer or using security software that can attempt to monitor BIOS/firmware attacks.
- Be suspicious if you suddenly can’t boot, BIOS settings change themselves, or persistent malware keeps returning after a full OS reinstallation.

Conclusion

CVE-2024-36877 is a textbook example of why low-level firmware security matters. With so many modern systems affected, the importance of prompt patching—and of treating PC firmware as a critical surface—has never been clearer.

If you’ve got an MSI motherboard from recent years, check your BIOS immediately. This isn’t just a theoretical risk; it’s a potential backdoor right in the heart of your computer.

*Stay safe. Patch early. And spread the word to friends and colleagues who might have vulnerable systems.*

References

- CVE-2024-36877 on MITRE
- Binarly Advisory
- MSI Support and Downloads
- Eclypsium UEFI Security Research

Timeline

Published on: 08/12/2024 16:15:15 UTC
Last modified on: 08/15/2024 16:15:19 UTC