CVE-2022-29974

Vulnerability

Overview CVE-2022-29974 is a pool-based buffer overflow in the AMI NTFS driver version 1.0.0, which is used in firmware for devices such as ASUS motherboards. The root cause is a missing boundary check when parsing the update sequence array (USA) of an NTFS filesystem. This array, used for multi-sector transfer protection, stores the last two bytes of each sector. The driver fails to validate the array size, leading to an out-of-bounds write [1].

Exploitation

An attacker can exploit this vulnerability by mounting a specially crafted NTFS volume that contains a malformed update sequence array. The attack does not require authentication but does require the ability to insert a malicious USB drive or other removable media that the system will attempt to mount. The out-of-bounds write overwrites two bytes at a calculated offset with attacker-chosen values (non-zero). This can corrupt adjacent pool memory, potentially leading to control of the driver's execution flow [1].

Impact

Successful exploitation allows an attacker to write two arbitrary bytes to a predictable location in memory. This may be leveraged to achieve arbitrary code execution within the EFI environment, which runs at the highest privilege level. The vulnerability could be used to persist across reboots or compromise the firmware itself [1].

Mitigation

AMI released a fix for the NTFS driver in late 2021 or early 2022, but downstream firmware updates for affected devices (e.g., ASUS) took over two years to propagate. Users should ensure their system firmware is updated to the latest version provided by the manufacturer. As of December 2024, the vulnerability is not known to be exploited in the wild, but its simplicity and similarity to related CVEs (CVE-2021-46790, CVE-2023-52168) highlight the importance of applying patches [1].