Gigabyte UEFI Firmware Memory Corruption Vulnerability via Unchecked Function Pointer Dereference in SMM Flash Management

A vulnerability exists in Gigabyte UEFI firmware that allows local attackers to manipulate function pointers through the RBX and RCX registers. This exploitation targets the Software SMI handler, specifically the SwSmiInputValue 0x20, and affects several motherboard models. The unchecked pointers are passed to flash management functions—ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo—which dereference the pointers without validation. This flaw enables arbitrary read and write access to System Management RAM (SMRAM), potentially leading to firmware corruption, unauthorized exfiltration of SMRAM data via flash, or the installation of persistent malware.

Impact

Exploitation of this vulnerability could allow an attacker to execute arbitrary code in System Management Mode (SMM), a highly privileged environment, bypassing operating system protections. Such access could corrupt SMRAM, disrupt UEFI security features like Secure Boot, and facilitate the installation of stealthy firmware implants that persist through operating system reinstalls.

Reproduction

The vulnerability can be reproduced by crafting a pointer structure and supplying it through the RBX and RCX registers to the Software SMI handler. This can be done by exploiting the unvalidated pointer handling in the SMM module, specifically targeting the flash management functions that directly interact with SMRAM.

Remediation

Users should consult the Gigabyte support site to check for affected systems and apply the latest UEFI firmware updates. Gigabyte has released security bulletins acknowledging these vulnerabilities and providing update instructions.