Search the Community

The vulnerabilities extend this time to Asus and GIGABYTE, where both companies have already been informed of their vulnerabilities in their lighting control software of both brands respectively. Aura Sync and AORUS Graphics Engine must be patched in up to 4 versions to prevent any attacker from escaping privileges through such control software. Six vulnerabilities and five affected products It has been the SecureAuth company that has made both discoveries and made them known to both companies with enough time for these vulnerabilities to be patched and corrected. In the case of Asus, the communication between the two companies occurred in November 2017, where Asus subsequently recognized the problem. Thus, on March 26 of this year the company launched a new review of Aura Sync informing that the problems were corrected, but it was not until May when SecureAuth checked the improvements, where only one of the three problems was corrected. The case of GIGABYTE is more flagrant, since upon being informed the company's technical support team responded to SecureAuth that GIGABYTE is a hardware company, not being specialized in software. Even so, they requested technical details to verify the vulnerabilities. Shortly afterwards, their response perplexed SecureAuth engineers, since GIGABYTE responded that according to their PM and engineers, their products are not affected by the vulnerabilities described. To put this in perspective, SecureAuth reported that Asus Aura Sync 1.07.22 and earlier versions install two vulnerable drivers, while in the case of GIGABYTE this extends to its Application Center software 1.05.21 and later at the same time as AORUS Graphics Engine (1.33 and later), the XTREME Engine utility (v1.25 and earlier) and OC Guru II (v2 .08). To be specific, in the case of Asus the security errors found correspond to CVE-2018-18537, CVE-2018-18536, CVE-2018-18535, through the GLCKIo and Asusgio drivers. In the case of vulnerability CVE-2018-18537 with a simple proof of concept or PoC a system failure can be achieved, while in the case of CVE-2018-18536 a possibility of reading and writing data from and to IO ports, which could be used by the attacker to execute code with elevated privileges. Vulnerability CVE-2018-18535 also exposes a method of reading and writing but through MSR (specific controls of the CPU architecture with features such as debugging, monitoring or monitoring program execution). That can produce blue screens of death in the worst case. GIGABYTE is not far behind with 3 other vulnerabilities In the case of GIGABYTE the affected drivers are GPCIDrv and GDrv where it was discovered that they can receive system calls from the user's processes without privileges, even with a low level of integrity, so Windows validates them as a trust code. Vulnerability CVE-2018-19320 gives the attacker full control of the system, so it is the most serious of those registered, and can even block the system. The second vulnerability (CVE-2018-19322) allows the attacker to increase his privileges on the system, where at least SecureAuth has managed to restart the affected computer. Finally, the CVE-2018-19323 vulnerability causes BSOD, since the exploit executed filters the pointer of a kernel function and prevents KASLR protection. Neither Asus nor GIGABYTE have reported again if they have finally corrected the vulnerabilities, so yesterday they were published publicly after being notified for more than a year.