major security vulnerability in MSI Afterburner

d3athf1sh

d3athf1sh

[H]ard|Gawd
Joined
Dec 16, 2015
Messages
1,250
So i noticed the version of afterburner i had installed was no longer applying the voltage tweak to my card, so i installed the latest version which tripped my virus program (ESET nod32) so after a little digging found out there's a big security hole that's been used for ransomware attacks that was discovered all the way back in 2019 and has never been patched. here's some info:

BlackByte ransomware abuses legit driver to disable security products​

The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Own Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions.
Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.

full article and more info here:
https://www.bleepingcomputer.com/ne...es-legit-driver-to-disable-security-products/
https://nvd.nist.gov/vuln/detail/CVE-2019-16098

**and in case anyone was wondering, i guess it's nvidia that has some how disabled voltage control with their newer drivers because I updated my graphics driver for the first time in a probably a year or more to get better performance with Baldurs Gate 3 (which worked) and voltage control always worked before that.
 
vegeta535 said:
I believe Afterburner is not being updated anymore?
Click to expand...
no it is. there was a point where they thought it wasn't going to be earlier this year because the russian guy that was doing it got his funding cut, but i guess they worked out a deal and version 4.6.5 came out a few weeks later. which was in April of this year.
 
Well, i believe i'm affected :( , revert back to an old version just for the fan profile.
 
im not seeing how you know its still affected, your info is old.

remove afterburner, run ddu, reinstall video drivers, reinstall AB.
 
Umm... I am pretty sure this is just not the case... The only thing I could find was for version 4.6.2

https://nvd.nist.gov/vuln/detail/CVE-2019-16098#VulnChangeHistorySection

Current version is 4.6.5 and microsoft defender found no issues with this download...

I have read that if you dl afterburn from other sites (malicious) you may get a compromised version but downloading it directly from MSI seems to be Fine...
 
pendragon1 said:
im not seeing how you know its still affected, your info is old.

remove afterburner, run ddu, reinstall video drivers, reinstall AB.
Click to expand...
it's the same i tried multiple versions. they are all affected. its the RTCore64.sys driver component as stated in the article linked above.
 
atarione said:
Umm... I am pretty sure this is just not the case... The only thing I could find was for version 4.6.2

https://nvd.nist.gov/vuln/detail/CVE-2019-16098#VulnChangeHistorySection

Current version is 4.6.5 and microsoft defender found no issues with this download...

I have read that if you dl afterburn from other sites (malicious) you may get a compromised version but downloading it directly from MSI seems to be Fine...
Click to expand...
No AV detects anything malicious with Afterburner 4.6.5: https://www.virustotal.com/gui/file/6a25d3deda56844c6ea3202c239257d94280dd3b3a56c517616e17d0fb8ee60f

I think d3athf1sh is probably right that this RTCore64.sys modification they do still has this vulnerability. It's up to anyone to decide whether they want to use it. It's not like Afterburner is directly bundled with a virus/malware but if something else malicious comes onto your system it can potentially exploit that vulnerability. I think if you're letting ransomware onto your system in the first place you have a much bigger issue to worry about.

d3athf1sh said:
because it's windows defender. there's a reason it's free.
Click to expand...
Defender is actually good now. It's not like the old days of Microsoft Security Essentials. For all friends and family I don't even recommend third party AV nowadays, save for a MalwareBytes free scan (not paid subscription) if they have PUPs.

I encourage you to look up independent testing. Here's one example where Defender actually does better than your ESET: https://www.av-comparatives.org/comparison/ at a 99.2% blocked rate vs 98.8% on ESET.
 
atarione said:
Umm... I am pretty sure this is just not the case... The only thing I could find was for version 4.6.2

https://nvd.nist.gov/vuln/detail/CVE-2019-16098#VulnChangeHistorySection

Current version is 4.6.5 and microsoft defender found no issues with this download...

I have read that if you dl afterburn from other sites (malicious) you may get a compromised version but downloading it directly from MSI seems to be Fine...
Click to expand...
Guru3D is the primary site to download Afterburner from. MSI didn't update the version they hosted to the newest one until a month after it was released on Guru3D.
 
Dopamin3 said:
No AV detects anything malicious with Afterburner 4.6.5: https://www.virustotal.com/gui/file/6a25d3deda56844c6ea3202c239257d94280dd3b3a56c517616e17d0fb8ee60f

I think d3athf1sh is probably right that this RTCore64.sys modification they do still has this vulnerability. It's up to anyone to decide whether they want to use it. It's not like Afterburner is directly bundled with a virus/malware but if something else malicious comes onto your system it can potentially exploit that vulnerability. I think if you're letting ransomware onto your system in the first place you have a much bigger issue to worry about.


Defender is actually good now. It's not like the old days of Microsoft Security Essentials. For all friends and family I don't even recommend third party AV nowadays, save for a MalwareBytes free scan (not paid subscription) if they have PUPs.

I encourage you to look up independent testing. Here's one example where Defender actually does better than your ESET: https://www.av-comparatives.org/comparison/ at a 99.2% blocked rate vs 98.8% on ESET.
Click to expand...
i never said it was bundled malware, i said it's a security vulnerability and it doesn't detect during downloading the rar file it detects on install. i could go back and redo it and take screenshots but i don't feel like it. you can either take my word for it or don't
 
Okatis said:
It was patched days after the disclosure according to the Afterburner dev, which they mentioned in a Reddit post.
Click to expand...
Ok... given the nature of the Afterburner userbase, I was about 1000% sure this must have been address as the posting about it on the internet would have been epic if it had been unpatched since 2021 or whatever...
 
You must log in or register to reply here.
Back
Top