Gigabyte UEFI Firmware SMM Privilege Escalation Vulnerability via Unchecked RBX Register

A vulnerability exists in Gigabyte UEFI firmware that allows local attackers to manipulate the RBX register through the Software SMI handler SwSmiInputValue 0xB2. This register control is exploited to derive pointers to OcHeader and OcData, which are then used in power and thermal configuration processes. The vulnerability arises because these buffers lack proper validation before executing multiple structured memory writes based on OcSetup NVRAM values. This oversight enables arbitrary corruption of System Management RAM (SMRAM) and potential escalation of privileges to System Management Mode (SMM).

Impact

Exploitation of this vulnerability could lead to unauthorized access and execution of code in System Management Mode, a highly privileged environment that bypasses operating system controls. Such an exploit could corrupt SMRAM, allowing for persistent firmware implants that survive operating system reinstalls. Additionally, it could disable UEFI security features like Secure Boot and Intel BootGuard, creating a stealthy backdoor into the system.

Reproduction

The vulnerability can be reproduced by sending a Software SMI command that targets the SwSmiInputValue 0xB2 handler. This can be done using the Intel SMM Callout Vulnerability Exploitation Tool, which automates the process of exploiting the vulnerability by manipulating the RBX register to control the OcHeader and OcData pointers. Once the pointers are controlled, the exploitation can be carried out by triggering the power and thermal configuration logic, which will execute the arbitrary memory writes based on the unvalidated NVRAM values, corrupting the SMRAM.

Remediation

Users should update to the latest UEFI firmware version provided by Gigabyte. Instructions for checking if a system is affected and how to apply the update are available on the Gigabyte support site.