VU#209095: SMM Memory Corruption Vulnerability in the AMI Aptio’s SMM Module Across Multiple Devices

Overview

System Management Mode (SMM) memory corruption vulnerabilities have been identified in UEFI modules present in AMI Aptio UEFI firmware. An attacker could exploit this vulnerability to elevate privileges and execute arbitrary code in the highly privileged SMM environment. Users should apply UEFI firmware updates provided by their supply-chain-supported vendors to address these issues.

Description

The Unified Extensible Firmware Interface (UEFI) specification defines an interface between an operating system (OS) and platform firmware. The UEFI specification defines mechanisms that allow firmware code to execute in System Management Mode (SMM), a highly privileged CPU mode intended for low-level system operations and direct hardware access. SMM operations are executed within a CPU protected memory region called System Management RAM (SMRAM). This environment is often referred to as “ring -2” because it operates at a deeper privilege level than the OS kernel (ring 0) and hypervisor (ring -1).

A vulnerability has been identified in certain firmware modules of AMI APTIOV related to improper pointer validation. Specifically, the code fails to adequately validate pointer values to prevent overlap with SMRAM. This allows memory references to be redirected into SMRAM, potentially enabling unauthorized code execution within SMM. An attacker exploiting this flaw could corrupt memory and overwrite sensitive SMRAM data, including firmware components that may later be written to PCI flash memory—establishing persistent control over the device.

Impact

Successful exploitation of this vulnerability may allow execution of code within System Management Mode (SMM), a highly privileged environment in firmware. This could bypass certain firmware-level protections, such as those protecting the SPI flash memory, and enable persistent modifications to the firmware that operate independently of the OS.

Solution

Install the latest UEFI firmware updates provided by your PC vendor. Refer to the Vendor Information section below and AMI’s security advisory. As these vulnerabilities may affect firmware distributed through the supply chain, multiple PC OEMs may be impacted. Continue monitoring the Vendor Information section for updates relevant to your device.

Acknowledgements

Thanks to Binarly REsearch team for the responsible disclosure of this vulnerability to CERT/CC. Thanks also to AMI for their collaboration and timely response. This document was written by Ben Koo.