In mid-December security researchers from SecureAuth disclosed local elevation of privilege and code execution vulnerabilities within software and drivers (defined) from hardware vendors Asus and Gigabyte.
What is the severity and impact of these vulnerabilities?
ASUS Aura Sync v1.07.22 and previous versions:
For the Asus Aura Sync software; two vulnerable drivers are installed and have the potential to allow local code execution by an attacker.
There are three vulnerabilities within this software:
CVE-2018-18535: affects the Asusgio driver by leaving an exposed read/write method available for model specific registers (MSRs)(defined). This weakness can be leveraged to execute arbitrary code with System level (defined)(ring 0) privileges. Diego Juarez, the security researcher who discovered these vulnerabilities; created proof of concept code to allow insecure access to the MSRs via a stray kernel (defined) function pointer (defined) allowing the bypass of kernel address space layout randomization (KASLR)(defined) which results in a denial of service (DoS) condition in the form of a Blue Screen of Death (BSoD). This would have medium to high impact depending on the criticality of the system that is rendered temporarily unavailable by the BSoD.
CVE-2018-18536: the proof of concept for this vulnerability results in the system rebooting. This was achieved by utilizing the ability to read and write data to IO ports using the GLCKIo and Asusgion drivers. This ability can be used to run code of your choice with elevated privileges. This would have a high to critical severity since any code of the attackers choice could be leveraged for a purpose of their choosing.
CVE-2018-18537: can be used to trigger a system crash. This is achieved by writing 32 bits of data (DWORD)(explanation) to an address of an attackers choice. This can corrupt data and lead to unexpected behavior such as a crash. This would have a low to high depending upon the type of data that became corrupted.
Gigabyte App Center v1.05.21 and previous
Aorus Graphics Engine v1.33 and previous
Xtreme Gaming Engine v1.25 and previous
OC Guru II v2.08
CVE-2018-19320: has the potential to grant the attacker full access to the affected system and is thus medium to high in severity. The proof of concept for this is the same as for CVE-2018-18537 (above). CVE-2018-19322 is very similar to CVE-2018-18636 described above. CVE-2018-19323 is again very similar to CVE-2018-18535 already described above.
Finally CVE-2018-19321 could place an attacker in complete control of the victim system upon exploiting drivers within the Gigabyte App Center; Aorus Graphics Engine, Xtreme Gaming Engine or OC Guru (version numbers listed above). The proof of concept provided crashed the system but would be of medium to high severity due to the potential for further malicious action.
How can I protect my organization or myself from these vulnerabilities?
As per the Asus and Gigabyte advisories; only Asus fixed one of the disclosed vulnerabilities. If you use any of the above affected software, please update it to the most recent version available. In addition; exercise standard caution regarding handling emails, email attachments and the clicking of links (no matter in what form you receive such links). These vulnerabilities are all locally exploitable and thus require you to take an action out of the ordinary to harm your system.
The fact that neither company responded effectively is a concern; especially given how widely used these software applications are across the many hardware products both vendors sell to organisations and individuals.
Why am I highlighting the vulnerabilities in these software packages?
I am highlighting these vulnerabilities since they re-demonstrate that any software installed on a system can contain vulnerabilities not just internet facing or widely used applications (making these Asus and Gigabyte applications a lot less likely to be updated by end-users). While this software may be considered innocuous (since it does not directly access the internet (except in the case to check for updates)) and is not used to open files/documents; given the low-level drivers the software uses; they still have the potential to provide an attacker with a means for malicious action.
I am aware of the availability of the Asus Aura Sync software since it is offered as a download for my Asus Rampage VI motherboard. I have not installed it since the motherboard LEDs already work (due to the UEFI firmware controlling them) to my satisfaction without software. Thus I chose not to install the software since I didn’t need it. While my system isn’t affected since the Asus software is not installed; it’s a concern that widely used applications are not being patched.
While I can acknowledge Gigabyte stating it is a hardware company; clearly the drivers and software it distributes to use and optimize/customize those products requires some maintenance from time to time; especially in the case where a vulnerability notification is provided. While Asus resolved one vulnerability it did not resolve the remaining two even when it too was provided with the necessary technical details.