SecureAuth issued advisories for two elevation of privilege vulnerabilities found in ASUS and Gigabyte products.
In both cases, the vulnerabilities remain, as ASUS has not implemented a fix and Gigabyte is claiming SecureAuth’s research is incorrect and there is no problem.
The ASUS flaws, CVE-2018-18537, CVE-2018-18536 and CVE-2018-18535, were found by SecureAuth and reported to ASUS in November 2017. But despite a steady stream of correspondence, and two software updates issued by ASUS in April and May 2018, the vulnerabilities remain, SecureAuth said in its advisory.
The flaws are found in drivers and utilities the company supplied to give users more control over certain settings and functions of the motherboard. The drivers are for GLCKIo and Asusgio, which gives the owner additional control over RGB lighting, enabling a gaming computer to be personalized with LED lights.
“Default installation allows non-privileged user processes (even those running at LOW INTEGRITY) to get a HANDLE and issue IOCTL codes to these drivers,” SecureAuth wrote.
SC Media has attempted to contact ASUS for a statement on the issue.
The issues with the Gigabyte drivers, CVE-2018-19320, CVE-2018-19322, CVE-2018-19323 and CVE-2018-19321, cover the company’s APP Center, Aorus Graphics Engine, Xtreme gaming engine and OC Guru II products.
SecureAuth first contacted Gigabyte in April 2018, and after a lengthy correspondence and being presented with SecureAuth’s technical report on the issue, Gigabyte claimed its products are not affected.
SecureAuth found these products “use low-level drivers to program and query the status on several embedded ICs on their hardware. Fan curves, clock frequencies, LED colors, thermal performance and other user-customizable properties and monitoring functionality are exposed to applications through these low-level kernel drivers.”
Like the ASUS issue, a default set -p allows non-privileged user processes (even running at low integrity) to get a handle and issue IOCTL codes to these drivers.
Gigabyte could not be contacted for comment.