Gigabyte UEFI Firmware Privilege Escalation Vulnerability via Unchecked RBX Register in SMM

A vulnerability has been identified in Gigabyte UEFI firmware that allows a local attacker to manipulate the RBX register. This register is used as an unchecked pointer in the CommandRcx0 function of the Software SMI handler (SwSmiInputValue 0xB2). If the pointer points to specific values, the function can write arbitrary data to System Management RAM (SMRAM). This exploitation could lead to unauthorized access to System Management Mode (SMM) and a persistent compromise of the firmware.

Impact

Exploitation of this vulnerability could allow a local attacker with administrative privileges to execute arbitrary code in System Management Mode, bypassing operating system protections. Such actions could disable UEFI security features like Secure Boot, and Intel BootGuard, and facilitate the installation of a firmware backdoor that persists through operating system reinstalls.

Reproduction

The vulnerability can be reproduced by sending a Software SMI command that targets the SwSmiInputValue 0xB2. The command should include a payload that manipulates the RBX register to point to a location in SMRAM or just before it. Once the CommandRcx0 function is invoked, the unchecked pointer can be used to write arbitrary data to the specified memory location, exploiting the vulnerability.

Remediation

Users are advised to update to the latest UEFI firmware version provided by Gigabyte. Instructions for applying the update can be found on the Gigabyte support site.