A vulnerability affecting UEFI firmware on motherboards from ASRock, ASUS, GIGABYTE, and MSI prevents proper initialization of IOMMU protections during system boot, exposing systems to direct memory access (DMA) attacks before OS-level defenses activate.
The flaw, tracked as VU#382314 by CERT/CC and associated with multiple CVEs (CVE-2025-14302/14303/14304), allows physically present attackers with malicious PCIe devices to read or modify memory during the early boot phase. Despite firmware claiming DMA protections are active, improper IOMMU setup leaves memory unprotected, enabling pre-boot tampering and potential data theft.
The vulnerability was reported by Nick Peterson and Mohamed Al-Sharifi of Riot Games, who collaborated with CERT Coordination Center (CERT/CC) and TWCERT/CC to notify affected vendors.
At the core of the issue is a “Protection Mechanism Failure” stemming from a misconfigured IOMMU (Input–Output Memory Management Unit) during the UEFI boot process. The IOMMU, which is designed to isolate DMA-capable devices from accessing unauthorized memory regions, remains inactive or partially initialized until the OS kernel takes control. This leaves a critical window where rogue PCIe peripherals, such as malicious expansion cards, can perform unrestricted DMA, bypassing early-stage security policies.
This attack vector enables both data exfiltration and pre-boot code injection, threatening the confidentiality and integrity of system memory.
Affected motherboards
The vulnerability affects UEFI-based systems across several Intel and AMD platforms from four major vendors:
ASRock: Intel 500, 600, 700, and 800 series motherboards. Firmware updates are available for most platforms except for 500-series boards, which are still pending. CVE: CVE-2025-14304
ASUS: Z490 through Z790 and W790 chipsets, spanning both Intel consumer and workstation boards. Users must not only apply the BIOS update but also enable “Full Protection” for IOMMU DMA settings in the BIOS manually. CVE: CVE-2025-11901
GIGABYTE: Intel 600–800 and AMD 600–800, including TRX50 platforms. BIOS patches have been released for all except TRX50, expected in Q1 2026. CVE: CVE-2025-14302, internal ID: TVN-202512003
MSI: Intel 600 and 700 series chipsets. Patches are available and marked as completed for both chipset generations. CVE: CVE-2025-14303
Each vendor has issued separate advisories urging users to install firmware updates and follow specific BIOS configuration steps. ASUS and GIGABYTE, in particular, stress the need for manual IOMMU setting changes in the BIOS setup utility post-update.
Since DMA-capable PCIe devices are common and not easily blocked in hardware, failure to fully initialize the IOMMU during early boot violates a key assumption of modern boot security.
Administrators and end users should take the following actions to secure affected systems:
- Apply BIOS/UEFI firmware updates immediately from the official vendor support sites.
- Manually enable full DMA protection in the BIOS/UEFI setup utility.
- Avoid using untrusted PCIe expansion devices, especially in uncontrolled physical environments.
- Audit physical access policies for systems potentially vulnerable during pre-boot stages.
Leave a Reply