Full Report
Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access (DMA) attacks across architectures that implement a Unified Extensible Firmware Interface (UEFI) and input–output memory management unit (IOMMU). UEFI and IOMMU are designed to enforce a security
Analysis Summary
# Vulnerability: Early-Boot DMA Attack Bypass due to IOMMU Misconfiguration in UEFI Firmware
## CVE Details
- CVE ID: See specific CVEs below (Score: 7.0 for all listed)
- CVSS Score: 7.0 (High)
- CWE: CWE-287 (Improper Authentication/Verification - related to protection failure mechanism)
## Affected Systems
- **Products:** Motherboards utilizing UEFI and IOMMU implementations from ASRock, ASUSTeK Computer (ASUS), GIGABYTE, and MSI.
- **Versions:** Unpatched firmware versions on systems utilizing the following chipsets:
* **ASRock:** Intel 500, 600, 700, and 800 series chipsets.
* **ASUS:** Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets.
* **GIGABYTE:** Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790 series chipsets, AND AMD X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50 series chipsets (TRX50 fix planned for Q1 2026).
* **MSI:** Intel 600 and 700 series chipsets.
- **Configurations:** Systems implementing UEFI where the IOMMU is not correctly configured or enabled during the critical early boot phase, despite the firmware reporting that DMA protection is active.
## Vulnerability Description
The vulnerability exists in the firmware (UEFI) implementations across multiple vendors. It is a protection mechanism failure where the firmware incorrectly signals that Direct Memory Access (DMA) protection is active but fails to properly configure and enable the Input-Output Memory Management Unit (IOMMU) during the critical boot phase before the operating system loads. This security gap allows a malicious, physically present DMA-capable Peripheral Component Interconnect Express (PCIe) device to perform unauthorized memory read/write operations (DMA attacks) on system memory, bypassing OS-level safeguards.
## Exploitation
- **Status:** Implied potential for exploitation; Proof-of-Concept (PoC) status not explicitly stated but strongly suggested by the nature of the flaw.
- **Complexity:** Low (Requires physical access to a DMA-capable peripheral connected to the system).
- **Attack Vector:** Physical (Requires physical access to attach a malicious PCIe device).
## Impact
- **Confidentiality:** High (Attacker can read sensitive data from system memory before OS loading).
- **Integrity:** High (Attacker can modify system memory, potentially leading to pre-boot code injection or corruption of OS initialization state).
- **Availability:** Medium (Potential denial of service through memory corruption during early boot).
## Remediation
### Patches
- Affected vendors (ASRock, ASUS, GIGABYTE, MSI) are releasing **firmware updates** to correct the IOMMU initialization sequence, ensuring DMA protections are enforced throughout the boot process. Users must apply these vendor-specific UEFI/BIOS updates.
- **Note for GIGABYTE TRX50:** Fix is planned for Q1 2026.
### Workarounds
- Adherence to hardware security best practices regarding physical access control.
- Ensuring that firmware configuration enforces proper IOMMU initialization (though the fix is to correct the initialization sequence itself).
## Detection
- **Indicators of Compromise:** Not explicitly detailed, but signs of compromised early boot integrity or unexpected DMA activity during boot stages preceding OS loading may indicate compromise, although this is difficult to detect without specialized hardware analysis tools.
- **Detection methods and tools:** Traditional endpoint detection tools are unlikely to catch this pre-OS vulnerability. Detection relies on verifying the absence of the vulnerability via firmware version checks or monitoring PCIe bus activity if possible pre-OS.
## References
- CERT/CC Advisory: hxxps://kb.cert.org/vuls/id/382314
- Vendor Advisories from ASRock, ASUS, GIGABYTE, and MSI (Specific links not provided in the summary text).