Skip to main content

CVE-2024-4760: CWE-1247: Improper Protection Against Voltage and Clock Glitches in Microchip SAME70

Medium
VulnerabilityCVE-2024-4760cvecve-2024-4760cwe-1247
Published: Thu May 16 2024 (05/16/2024, 13:07:57 UTC)
Source: CVE Database V5
Vendor/Project: Microchip
Product: SAME70

Description

A voltage glitch during the startup of EEFC NVM controllers on Microchip SAM E70/S70/V70/V71, SAM G55, SAM 4C/4S/4N/4E, and SAM 3S/3N/3U microcontrollers allows access to the memory bus via the debug interface even if the security bit is set.

AI-Powered Analysis

AILast updated: 07/08/2025, 02:27:18 UTC

Technical Analysis

CVE-2024-4760 is a medium-severity vulnerability affecting multiple Microchip microcontroller families, including SAM E70/S70/V70/V71, SAM G55, SAM 4C/4S/4N/4E, and SAM 3S/3N/3U series. The vulnerability arises from improper protection against voltage and clock glitches during the startup phase of the Embedded Flash Controller (EEFC) Non-Volatile Memory (NVM) controllers. Specifically, an attacker can induce a voltage glitch at startup, which bypasses the security bit that normally restricts access to the memory bus via the debug interface. This flaw allows unauthorized read and write access to the microcontroller’s memory, potentially exposing sensitive data or enabling malicious code injection. The vulnerability is classified under CWE-1247, which relates to insufficient protection against voltage and clock glitches. The CVSS 3.1 base score is 6.3 (medium), reflecting that exploitation requires physical proximity (attack vector: physical), high attack complexity, no privileges, and some user interaction. The impact on confidentiality, integrity, and availability is high if exploited, as attackers can fully access and manipulate the microcontroller’s memory contents. No known exploits are currently reported in the wild, and no patches have been published yet by Microchip. This vulnerability is particularly critical for embedded systems relying on these microcontrollers for secure operations, such as industrial control, automotive, medical devices, and critical infrastructure components. The attack requires physical access and precise timing to induce voltage glitches, making remote exploitation infeasible but raising concerns for devices deployed in physically accessible environments.

Potential Impact

For European organizations, the impact of CVE-2024-4760 is significant in sectors that deploy Microchip SAME70 and related microcontrollers in embedded systems. These include industrial automation, automotive manufacturing, healthcare devices, and critical infrastructure such as energy and transportation systems. Successful exploitation could lead to unauthorized disclosure of sensitive information, manipulation of device behavior, or permanent device compromise, undermining operational integrity and safety. Given the physical access requirement, the threat is more acute in environments where devices are accessible to insiders or attackers with physical proximity, such as manufacturing floors, field installations, or service centers. The vulnerability could facilitate espionage, sabotage, or supply chain attacks, particularly in high-value targets. European organizations must consider this risk in their embedded device security assessments and supply chain risk management. The lack of patches increases exposure until mitigations or hardware revisions are available.

Mitigation Recommendations

1. Restrict physical access to devices using affected Microchip microcontrollers to trusted personnel only, employing tamper-evident seals and secure enclosures. 2. Implement environmental monitoring to detect abnormal voltage or clock conditions indicative of glitching attempts. 3. Use hardware security modules or external secure elements to offload critical security functions away from vulnerable microcontrollers. 4. Employ layered security controls such as encrypted firmware, secure boot, and runtime integrity checks to limit the impact of memory access. 5. Monitor vendor communications closely for firmware updates or hardware revisions addressing this vulnerability and plan timely patching or device replacement. 6. Conduct security audits and penetration tests focusing on physical attack vectors and side-channel resistance. 7. For new designs, consider alternative microcontrollers with robust glitch resistance and certified security features. 8. Educate operational staff about the risks of physical tampering and enforce strict device handling policies.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Microchip
Date Reserved
2024-05-10T15:18:00.908Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6843062b71f4d251b5ce778e

Added to database: 6/6/2025, 3:15:55 PM

Last enriched: 7/8/2025, 2:27:18 AM

Last updated: 8/18/2025, 10:39:40 AM

Views: 27

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats