Full Report
And it was Microsoft Copilot that unwittingly revealed the longstanding vulnerability
Analysis Summary
# Vulnerability: Surface SAM Firmware Arbitrary Write (Bricking via Userspace)
## CVE Details
- **CVE ID:** Not assigned (Publicly disclosed as a firmware design flaw addressed via quiet patching)
- **CVSS Score:** ~6.8 (Medium/High - Adjusted for requirement of Admin privileges and non-default configurations)
- **CWE:** CWE-20 (Improper Input Validation), CWE-1242 (Condition of Missing Hardware Barrier)
## Affected Systems
- **Products:** Microsoft Surface hardware line
- **Versions:** Surface Laptop 3–6, Surface Book 1–3. (Note: ARM-based variants and Surface Go models are reportedly not affected or untested).
- **Configurations:** Systems where **Secure Core** and **Secure Boot** have been disabled, allowing administrative userspace processes to interact directly with hardware drivers.
## Vulnerability Description
The vulnerability exists in the Surface System Aggregator Module (SAM) or "Surface Aggregator" (SSAM). The SAM is an embedded controller (EC) responsible for low-level hardware tasks like backlight control and power management.
The implementation lacked a hardware-level write protection mechanism (such as a physical jumper or button requirement) to authorize firmware writes. Furthermore, the Command IDs (CIDs) on the SAM bus are interleaved—read and write commands occupy the same numbering space without structural separation. Through the `SSAM_CDEV_REQUEST` (0xC028A501) IOCTL, a script in userspace can send raw commands to the microcontroller. If a "SET" command with a null or garbage payload is sent to a sensitive CID, it can overwrite the UEFI and Secure Boot firmware stored in non-volatile memory. This results in a permanent "brick," as the device fails POST (Power-On Self-Test) on the next reboot.
## Exploitation
- **Status:** PoC created (Accidentally generated by Microsoft Copilot Python script).
- **Complexity:** Low (Scripted iteration over IOCTL commands).
- **Attack Vector:** Local (Requires Administrator privileges to interact with the SSAM driver).
## Impact
- **Confidentiality:** None
- **Integrity:** Total (Firmware is corrupted/overwritten).
- **Availability:** Total (Permanent hardware bricking; requires motherboard replacement).
## Remediation
### Patches
- Microsoft has been "quietly patching" firmware over a 90-day period ending June 2026. Users should apply all Windows and Surface Firmware updates via Windows Update.
- **Future Hardware:** Microsoft is rewriting the EC firmware in Rust (**Project Secure EC**) and the UEFI DXE Core in Rust (**Project Patina**) to prevent these classes of memory and logic errors.
### Workarounds
- **Enable Security Features:** Retain default settings for **Secure Core** and **Secure Boot**, which block the unauthorized driver interactions required for this exploit.
- **Restrict Admin Privileges:** Ensure users operate with standard permissions to prevent raw IOCTL command execution.
## Detection
- **Indicators of Compromise:** Execution of suspicious Python or PowerShell scripts attempting to send `0xC028A501` IOCTL requests to Surface drivers.
- **Detection Methods:** System logs showing unauthorized attempts to interact with the `Surface Serial Hub` or `Surface Aggregator` drivers.
## References
- Surface Aggregator Module Overview: hxxps[://]docs[.]kernel[.]org/driver-api/surface_aggregator/overview[.]html
- Open Device Partnership (ODP): hxxps[://]opendevicepartnership[.]org/
- Windows Drivers in Rust (WDR): hxxps[://]github[.]com/microsoft/windows-drivers-rs
- Project Patina: hxxps[://]github[.]com/OpenDevicePartnership/patina