New UEFI flaw enables pre-boot attacks on motherboards from Gigabyte, MSI, ASUS, ASRock

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,061
14,261
6,069
Content source
https://www.bleepingcomputer.com/news/security/new-uefi-flaw-enables-pre-boot-attacks-on-motherboards-from-gigabyte-msi-asus-asrock/
The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.

DMA is a hardware feature that allows devices such as graphics cards, Thunderbolt devices, and PCIe devices to read and write directly to RAM without involving the CPU.

IOMMU is a hardware-enforced memory firewall that sits between devices and RAM, controlling which memory regions are accessible for each device.

During early boot, when UEFI firmware initializes, IOMMU must activate before DMA attacks are possible; otherwise, there is no protection in place to stop reading or writing on memory regions via physical access.

The vulnerability was discovered by Riot Games researchers Nick Peterson and Mohamed Al-Sharifi. It causes the UEFI firmware to show that the DMA protection is enabled even if the IOMMU did not initialize correctly, leaving the system exposed to attacks.

Although the researchers described the vulnerability from the perspective of the gaming industry, where cheats could be loaded early on, the security risk extends to malicious code that can compromise the operating system.

www.bleepingcomputer.com

New UEFI flaw enables pre-boot attacks on motherboards from Gigabyte, MSI, ASUS, ASRock

The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: Zero Knowledge, anirbandutta01, Sorrento and 10 others
This report is essentially about a gap/misreporting of DMA/IOMMU protection during early boot on some UEFI implementations, which can leave a window where a physically attached device could access RAM before the OS security stack is up.

What it means (in practical terms)
  • DMA attacks generally require physical access (or the ability to attach a malicious PCIe/Thunderbolt-class device, or an internal add-in card).
  • If IOMMU/VT-d (Intel) or AMD-Vi/IOMMU (AMD) isn’t actually active early enough (or is incorrectly initialized), a device can potentially read/write system memory during the early boot phase.
  • That can be abused for things like pre-OS tampering, credential theft, boot-time compromise, or (as the researchers mention) early-loading cheats. The bigger security concern is that it can undermine OS-level protections if the attacker has the right access.

Who is most at risk
  • Systems exposed to untrusted physical access (shared spaces, LAN events, office desks, repair shops, travel, dorms).
  • Machines with DMA-capable external ports/devices (e.g., Thunderbolt) or accessible PCIe slots.
  • High-value targets where a motivated attacker could invest in specialized hardware.

What you can do now (sensible mitigations)
  • Update BIOS/UEFI to the latest available version for your exact motherboard model. This is the most important step if vendors ship fixes/workarounds.
  • In firmware setup, ensure IOMMU is enabled:
    • Intel: VT-d (and often VT-x as well)
    • AMD: SVM + IOMMU (wording varies by board)
  • In Windows (if applicable), enable protections that reduce DMA exposure:
    • Secure Boot
    • Core isolation / Memory integrity (HVCI), if compatible
    • Use BitLocker (or equivalent full-disk encryption). For stronger “evil maid” resistance, consider TPM + PIN rather than TPM-only.
  • If you don’t need them, disable Thunderbolt/USB4 in BIOS/UEFI, or set the highest security level available (exact options depend on the platform).
  • General hardening: avoid leaving machines unattended in unlocked areas; treat “brief physical access” as a serious threat model.

How to proceed on MalwareTips
If you want, reply with:
  • Motherboard model (exact)
  • Current BIOS/UEFI version
  • CPU platform (Intel/AMD + generation)
  • Whether you use Thunderbolt/USB4
  • OS (Windows version/build or Linux distro)
…and I can suggest the safest, model-appropriate settings to check and the best way to verify you’re on the latest firmware.

If you suspect this affects your system and there’s no firmware update available, it’s worth contacting the motherboard vendor support and/or watching for an advisory/BIOS release tied to this issue.
 
  • Like
Reactions: ProblematicPions, Parkinsond and simmerskool
A significant security vulnerability has emerged affecting motherboards from Gigabyte, MSI, ASRock, and ASUS. Riot Games analysts and researchers identified a critical flaw during their ongoing investigation into gaming system security.

The vulnerability, termed “Sleeping Bouncer,” exploits a weakness in the pre-boot protection mechanisms that are supposed to safeguard computer hardware during system initialization.

The flaw allows attackers to inject malicious code during the earliest moments of a computer’s boot sequence.

While security features appear enabled in the BIOS settings, the underlying hardware implementation fails to activate protective mechanisms properly.

This creates a narrow but exploitable window where malware can take control of the system before traditional security programs even activate.
Click to expand...
Full Story:
cybersecuritynews.com

Sleeping Bouncer Vulnerability Impacts Motherboards from Gigabyte, MSI, ASRock and ASUS

A significant security vulnerability has emerged affecting motherboards from Gigabyte, MSI, ASRock, and ASUS. Riot Games analysts and researchers identified a critical flaw during their ongoing investigation into gaming system security. The vulnerability, termed “Sleeping Bouncer,” exploits a...
cybersecuritynews.com cybersecuritynews.com
 
  • Like
Reactions: Khushal, Parkinsond, Wrecker4923 and 1 other person
BTW, your posts are fodder for Brave LLM (it's interesting that it doesn't cite the primary sources first). Be proud! (And don't do anything to confuse the AI).

search.brave.com

Brave Search

Search the Web. Privately. Truly useful results, AI-powered answers, & more. All from an independent index. No profiling, no bias, no Big Tech.
search.brave.com search.brave.com

ps: Now I know what this kind of numbers come from 😉: Total: 1,473 (members: 20, guests: 1,453)
 
  • Like
  • Wow
  • HaHa
Reactions: Zero Knowledge, Khushal, Sorrento and 1 other person
Wrecker4923 said:
BTW, your posts are fodder for Brave LLM (it's interesting that it doesn't cite the primary sources first). Be proud! (And don't do anything to confuse the AI).

search.brave.com

Brave Search

Search the Web. Privately. Truly useful results, AI-powered answers, & more. All from an independent index. No profiling, no bias, no Big Tech.
search.brave.com search.brave.com

ps: Now I know what this kind of numbers come from 😉: Total: 1,473 (members: 20, guests: 1,453)
Click to expand...
feeding the beast
om nom nom eating GIF
 
  • Like
  • HaHa
Reactions: Zero Knowledge, Khushal, Brownie2019 and 2 others
You must log in or register to reply here.

You may also like...