Update: 31st January 2019
In a follow up to this post; I realized that software installed within my Windows 10 Pro for Workstations system (Version 1803) may be vulnerable to similar issues as the Asus and Gigabyte software.
The software; Creative Sound Blaster Connect for Windows v22.214.171.124)(June 2018) is installed on my system and controls (among other features) the LED lights of my dedicated sound card Sound BlasterX AE-5 Pure edition. The lights are installed on the card and via an extended magnetic chain of 40 LED lights.
This software has the ability to connect to the internet in order to install updates from Creative. In an effort to check if this functionality could be abused to access the software; I took the basic steps of scanning the ports listed within the attached document using Nmap (using another system located on my local network (LAN)). I also checked if these ports were accessible via the internet from outside of my network by probing specific ports (User Specified Custom Port Probe) using the free ShieldsUp service from Grc.com):
The Nmap scans were only the following basic scans:
TCP Connect Scan:
Stealth Scan (TCP SYN Scan):
UDP Scan (where applicable):
TCP ACK Scan:
The results were; none of the ports were accessible via my local network or via the internet thanks to the software firewall (bundled with my anti-malware software). The firewall gracefully handled each scan and blocked it while only logging the event rather than displaying a notification.
To further harden the Creative software from possible attack I chose to enable Microsoft’s Windows Defender Exploit Guard. I have attached a table (see link “Creative Processes and Ports” below) of the necessary running processes of the Creative software and which of the memory protections I was able to turn on; in short almost all of them. Windows Defender Exploit Guard is the successor to EMET (originally made available by Microsoft in 2010. Support ended for EMET on the 31st July 2018:
Since my Windows 10 system is fully up to date and I don’t link on links within emails or open suspicious attachments (in addition to using application white listing). Moreover; the software can’t be accessed via the internet or via my local network and now has many layers of in memory defenses enabled the likelihood of any vulnerabilities within the Creative software being exploited is minimized. If a rogue update is downloaded via the internet; it can’t run since only updates digitally signed by Creative are enabled to run (due to the whitelisting mentioned earlier).
While all of the above may be considered an “overreaction”; while exploits against such software are still yet to be seen in the wild; it never hurts to be prepared for the future. In addition, I don’t wish for the seemingly innocuous technology of LED lights being used to compromise my system.
Creative Processes and Ports
In mid-December security researchers from SecureAuth disclosed local elevation of privilege and code execution vulnerabilities within software and drivers (defined) from hardware vendors Asus and Gigabyte.
What is the severity and impact of these vulnerabilities?
ASUS Aura Sync v1.07.22 and previous versions:
For the Asus Aura Sync software; two vulnerable drivers are installed and have the potential to allow local code execution by an attacker.
There are three vulnerabilities within this software:
CVE-2018-18535: affects the Asusgio driver by leaving an exposed read/write method available for model specific registers (MSRs)(defined). This weakness can be leveraged to execute arbitrary code with System level (defined)(ring 0) privileges. Diego Juarez, the security researcher who discovered these vulnerabilities; created proof of concept code to allow insecure access to the MSRs via a stray kernel (defined) function pointer (defined) allowing the bypass of kernel address space layout randomization (KASLR)(defined) which results in a denial of service (DoS) condition in the form of a Blue Screen of Death (BSoD). This would have medium to high impact depending on the criticality of the system that is rendered temporarily unavailable by the BSoD.
CVE-2018-18536: the proof of concept for this vulnerability results in the system rebooting. This was achieved by utilizing the ability to read and write data to IO ports using the GLCKIo and Asusgion drivers. This ability can be used to run code of your choice with elevated privileges. This would have a high to critical severity since any code of the attackers choice could be leveraged for a purpose of their choosing.
CVE-2018-18537: can be used to trigger a system crash. This is achieved by writing 32 bits of data (DWORD)(explanation) to an address of an attackers choice. This can corrupt data and lead to unexpected behavior such as a crash. This would have a low to high depending upon the type of data that became corrupted.
Gigabyte App Center v1.05.21 and previous
Aorus Graphics Engine v1.33 and previous
Xtreme Gaming Engine v1.25 and previous
OC Guru II v2.08
CVE-2018-19320: has the potential to grant the attacker full access to the affected system and is thus medium to high in severity. The proof of concept for this is the same as for CVE-2018-18537 (above). CVE-2018-19322 is very similar to CVE-2018-18636 described above. CVE-2018-19323 is again very similar to CVE-2018-18535 already described above.
Finally CVE-2018-19321 could place an attacker in complete control of the victim system upon exploiting drivers within the Gigabyte App Center; Aorus Graphics Engine, Xtreme Gaming Engine or OC Guru (version numbers listed above). The proof of concept provided crashed the system but would be of medium to high severity due to the potential for further malicious action.
How can I protect my organization or myself from these vulnerabilities?
As per the Asus and Gigabyte advisories; only Asus fixed one of the disclosed vulnerabilities. If you use any of the above affected software, please update it to the most recent version available. In addition; exercise standard caution regarding handling emails, email attachments and the clicking of links (no matter in what form you receive such links). These vulnerabilities are all locally exploitable and thus require you to take an action out of the ordinary to harm your system.
The fact that neither company responded effectively is a concern; especially given how widely used these software applications are across the many hardware products both vendors sell to organisations and individuals.
The relevant advisories from SecureAuth are linked to here (Asus) and here (Gigabyte).
Why am I highlighting the vulnerabilities in these software packages?
I am highlighting these vulnerabilities since they re-demonstrate that any software installed on a system can contain vulnerabilities not just internet facing or widely used applications (making these Asus and Gigabyte applications a lot less likely to be updated by end-users). While this software may be considered innocuous (since it does not directly access the internet (except in the case to check for updates)) and is not used to open files/documents; given the low-level drivers the software uses; they still have the potential to provide an attacker with a means for malicious action.
I am aware of the availability of the Asus Aura Sync software since it is offered as a download for my Asus Rampage VI motherboard. I have not installed it since the motherboard LEDs already work (due to the UEFI firmware controlling them) to my satisfaction without software. Thus I chose not to install the software since I didn’t need it. While my system isn’t affected since the Asus software is not installed; it’s a concern that widely used applications are not being patched.
While I can acknowledge Gigabyte stating it is a hardware company; clearly the drivers and software it distributes to use and optimize/customize those products requires some maintenance from time to time; especially in the case where a vulnerability notification is provided. While Asus resolved one vulnerability it did not resolve the remaining two even when it too was provided with the necessary technical details.