Asus and Gigabyte Drivers Allegedly Contain Serious Security Vulnerabilities

[AlphaAtlas]

BleepingComputer reports that SecureAuth published "driver elevation of privilege" vulnerabilities for desktop Gigabyte and Asus motherboards. According to the Asus report, multiple vulnerabilities were found in the GLCKIo and Asusgio drivers that the company's Aura Sync RGB control software installs. SecureAuth notified Asus over a year ago, but didn't immediately receive a response. 2 months and 3 emails later, Asus asked for technical details, reportedly released an update in April that only fixed one of the two major vulnerabilities, and didn't respond to any more emails. Meanwhile, after sending multiple emails, SecureAuth received a response from Gigabyte asking SecureAuth to open a support ticket. SecureAuth said they wished to keep correspondence private, and then Gigabyte claimed "that Gigabyte is a hardware company and they are not specialized in software." The security company sent over a draft of the vulnerability anyway, Gigabyte responded by saying the draft was too vague and asked for a phone contact, and 2 months later, Gigabyte claimed that "its products are not affected by the reported vulnerabilities."

SecureAuth published proof of concept code for both the Asus and Gigabyte vulnerabilities, and according the report, the affected Asus and Gigabyte drivers are still vulnerable. Non privileged users that are "even running at LOW INTEGRITY" can allegedly abuse the exploits and "take complete control of the affected system."

Thanks to Schtask for the tip.

 

[B00nie]

Another example why less is more and bloat sucks.

 

[SJetski71]

Scratch Gigabyte and Asus off my off my short term shopping list, hello MSI.

Get your acts together, dummies, because you two are literally asking for problems. You lost that critical moment to make yourselves look good.

 

[mkk]

These companies may have come up with some nifty software features in recent years, but the quality of the code or installer packaging has often been sketchy.
Evade every bit that you don't really need. Check for instance if the BIOS controls can be good enough by itself even if it's limited.

 

[Solhokuten]

Well thats terrible news for me. I just got a new Gigabyte board, I guess ill uninstall the software tonight.

 

[Absalom]

Just a FYI, some other brands out there also incorporate these software APIs to drive their own RGB lights.

I just double checked, and indeed, G.Skill's RGB control software I'm currently using has the GLCKIo.dll in its folder. YMMV.

 

[Elf_Boy]

Sounds like the Asus support I know.

Corporate culture makes it bad to report a problem.

 

[katanaD]

LOL.. this is a joke, right?

so let me get this straight.. you install RGB control software on your computer.. something not a normal non admin end user is going to do.. its going to be a gamer running as ADMINISTRATOR on his own rig.

Then .. to exploit these "critical" vulnerabilities, one has to then be running malicious code to exploit said vulnerability

Well.. there is the ONLY issue here.. your running malicious code

 

[Nenu]

Just a FYI, some other brands out there also incorporate these software APIs to drive their own RGB lights.

I just double checked, and indeed, G.Skill's RGB control software I'm currently using has the GLCKIo.dll in its folder. YMMV.

Interesting.
My GSkill Ripjaws MX780 RGB keyboard has their software installed and that dll does not exist on my system drive.
I am on version 2.03
Just checked, this is the latest release from 2017.

 

[c3141hf]

LOL.. this is a joke, right?

so let me get this straight.. you install RGB control software on your computer.. something not a normal non admin end user is going to do.. its going to be a gamer running as ADMINISTRATOR on his own rig.

Then .. to exploit these "critical" vulnerabilities, one has to then be running malicious code to exploit said vulnerability

Well.. there is the ONLY issue here.. your running malicious code

I don't think you quite understand the exploit.

Administrator != Ring 0. This allows for malicious kernel mode code to be executed. Ring 0 is basically unmitigated access to the computer hardware which is actually higher than administrator and basically allows for the system to be rooted at a very low level (bypassing the normal signing requirements for running kernel mode code).

 

[travisty]

Oh nice. Another reason for me to jump on the rgb lightshow bandwagon!

...

 

[katanaD]

I don't think you quite understand the exploit.

Administrator != Ring 0. This allows for malicious kernel mode code to be executed. Ring 0 is basically unmitigated access to the computer hardware which is actually higher than administrator and basically allows for the system to be rooted at a very low level (bypassing the normal signing requirements for running kernel mode code).

but it is still relying on YOU running malicious code on your computer.

irregardless of anything else.. if you are running malicious code on your computer.. you are already compromised

 

[B00nie]

but it is still relying on YOU running malicious code on your computer.

irregardless of anything else.. if you are running malicious code on your computer.. you are already compromised

No, it only requires YOU to visit any infected site on the internet and it will run the code FOR you. Or preview an infected e-mail on your outlook/whatever client. Or install an infected USB stick (some come preinfected from the factory) etc.

 

[darckhart]

"we're a hardware company not a software company" AHAHAHA so you get to ignore what's really happening and live in your own bubble? sounds a lot like facebook. "oh no we're not a news and media company" except majority of people get their news from facebook now so yea...... TAKE SOME RESPONSIBILITY COMPANIES.

 

[DeathFromBelow]

At least with Gigabyte you can set up the RGB LED colors in the BIOS without installing any crapware in the OS. Or is that only on certain boards?

there is the ONLY issue here.. your running malicious code

Remember the 'internet drive-by' attacks that were common in the Windows XP era? Vista introduced much stronger privilege escalation features, but malware can still exploit crappy drivers like this to get around it. You could unknowingly be infected just by visiting an infected page.

 

[AlphaAtlas]

Scratch Gigabyte and Asus off my off my short term shopping list, hello MSI.

Get your acts together, dummies, because you two are literally asking for problems. You lost that critical moment to make yourselves look good.

ASRock had a similar security vulnerability, but they did patch it before it went public. So I wouldn't be suprised if MSI mobos had similar issues.

I think the bigger message is "don't run RGB LED software (or other optional mobo drivers) if system security is really important"

 

[mufcfan]

I have a Gigabyte Z270 Gaming K3 board since last summer. NONE of their software works or ever worked for me except the drivers.
They claimed that it works on the previous Win10 version, until they gave up and did not even post updates to their software anymore except for the soundcard drivers. (Which is obviously not theirs.)

I have a good GPU from them, but I don't think I will want to buy their boards. My previous board was an ASUS (from the Sandy Bridge era) and I had far less issues and far more built-in functions.
The security side is hard to judge though.

 

[Twisted Kidney]

Fucking bloatware.

 

[/dev/null]

Everyone needs to realize what you get from a motherboard manufacturer when you "build your own".

* Customization
* Speed
* Overclocking
* Choice

What you DON'T get:

* Bios updates past 12-18 months of product release.
* Any other support period. This includes good code/secure code or even the cpu support or memory QVL being kept up to date on their website.

Heaven forbid you actually find something like a bug in iommu or vt-d support.

You either accept it or you don't.

Not really sure why everyone is surprised. The last 4 people who have asked me for computers, I've bought them sub $200 haswell based Dells or HPs

 

[Lakados]

And here I am with an Asus MoBo in one hand and a Gigabyte GPU in the other with my cock just swinging in the wind....

 

[DeChache]

Well good thing I never install that RGB tools. Recently just swapped to a Gigabyte GFX from MSI because I couldn't justify an extra $50 bucks for brand preference....

 

[Oldmodder]

"that Gigabyte is a hardware company and they are not specialized in software."

No sheeet Sherlock
My new computers was at the time ( a month or so ago ) based on one of the most expensive Gigabyte motherboards around, and their software for it are not good ( to put it mildly )
RGB Fusion are not working well and are lackluster.
Their APP center software are also bad, it keep saying some of my drivers have updates, but they don't and even if i update VIA APP center the same drivers still have updates.

I would think that a company's highest end products was also the ones that had the most focus, but this don't seem to be the case with Gigabyte.

 

[Absalom]

Interesting.
My GSkill Ripjaws MX780 RGB keyboard has their software installed and that dll does not exist on my system drive.
I am on version 2.03
Just checked, this is the latest release from 2017.

Just to be clear, I'm using their tool (G.Skill's) which is specifically designed for configuring the RGB on their ram. Your keyboard probably uses a different tool altogether.

Hence the YMMV.

 

[jardows]

Everyone needs to realize what you get from a motherboard manufacturer when you "build your own".

* Customization
* Speed
* Overclocking
* Choice

What you DON'T get:

* Bios updates past 12-18 months of product release.
* Any other support period. This includes good code/secure code or even the cpu support or memory QVL being kept up to date on their website.

Heaven forbid you actually find something like a bug in iommu or vt-d support.

You either accept it or you don't.

Not really sure why everyone is surprised. The last 4 people who have asked me for computers, I've bought them sub $200 haswell based Dells or HPs

Better be buying them Optiplex or Prodesks, because everything else in the consumer line has as bad or worse support than given by the motherboard vendors, and usually it is worse.

 

[/dev/null]

Better be buying them Optiplex or Prodesks, because everything else in the consumer line has as bad or worse support than given by the motherboard vendors, and usually it is worse.

Optiplex is what I tend to stick with. on the HP side I like the "Z" workstation (single socket) series.

 

[GameLifter]

Good thing I uninstalled the ASUS Aura Sync software from my computer recently. It was giving me performance issues in games when I had it set to Rainbow mode which went away after setting it to a static color or disabling it. I decided to remove any doubt of it potentially causing other performance issues and uninstalled it.

 

[umeng2002]

Asian technology companies are not known for their software support. They seem to default to, "just buy the updated model" solution...

 

[jpcahn1]

I usually buy Asus. This time I went MSI and now I feel like I won the Lottery!

 

[DocNo]

then Gigabyte claimed "that Gigabyte is a hardware company and they are not specialized in software."

If you aren't a software company you aren't a hardware company either. No more Gigabyte stuff for me. I am disappointed in Asus. I thought they had it more together than this. Luckily this is for frivolous crap that can be deleted easily enough, but what if it's a BIOS issue next time? Are they going to have the same lack luster response?

Ugh.

 

[DocNo]

I usually buy Asus. This time I went MSI and now I feel like I won the Lottery!

Until you need to do an RMA. They have the worst process ever.

I guess they could have improved it by now, but my god what a nightmare....

I guess it is true none of these hardware companies now jack about software.

 

[Twisted Kidney]

Well good thing I never install that RGB tools. Recently just swapped to a Gigabyte GFX from MSI because I couldn't justify an extra $50 bucks for brand preference....

On a good number of Asus' video cards you have to run the RGB bloatware to turn OFF their lighting. Every. Time. You. Boot.

Asus software is absolutely terrible to top it off.

 

[DeChache]

On a good number of Asus' video cards you have to run the RGB bloatware to turn OFF their lighting. Every. Time. You. Boot.

Asus software is absolutely terrible to top it off.

You might have to on this Gigabyte card to but the case doesn't have a window so I think its just sitting there and cycling through all the colors.

 

[Elf_Boy]

I have found the Asus utilities often don't work in part or whole even after updates.

 

[funkydmunky]

Hardware makers have always had bloated poorly programmed software apps. I usually try to avoid it. Problem is the freeware/cheap alternatives may have similar issues.

 

[Absalom]

Updated all my RGB software and found out that my G.Skill ram's RGB lighting can now be controlled through Gigabyte's RGBFusion app. So I promptly nuked the G.Skill RGB app and any trace of the ASUS Aura software.

If I'm going to have security holes and RGB lighting, I might as well narrow down the holes to just one.

You might have to on this Gigabyte card to but the case doesn't have a window so I think its just sitting there and cycling through all the colors.

My Logitech G810 keyboard will continue to do a rainbow light show until the drivers load. I find this a disgusting trend amongst anything RGB.

I don't mind a little even subtle RGB, but why is the default behavior always ON? And to add insult to injury, why does every mfg set their RGB default scheme to use the absolute worst effect?

The default behavior should be OFF. But I guess the less tech savvy will bitch that their new RGB bling isn't working, so they RMA it? Blah.

 

[schoolslave]

I've been saying it for years - all this bullshit code (RGB, auto overclock, etc etc) ASUS and others keep adding to the motherboards is incredibly insecure and fragile. Less bloat, more stability please; let's deliver a 100% functional and stable motherboard first and then worry about adding "features".

 

[Azphira]

Fuck RGB

 

[Zulgrib]

I guess Asus fixed one flaw from their but don't have source for the other affected driver.

 

[Zulgrib]

but it is still relying on YOU running malicious code on your computer.

irregardless of anything else.. if you are running malicious code on your computer.. you are already compromised

Like it is highly difficult to make lamba people execute software on their computer.

People will run anything asked blindly until they obtain what they want.

 

[Zulgrib]

I've been saying it for years - all this bullshit code (RGB, auto overclock, etc etc) ASUS and others keep adding to the motherboards is incredibly insecure and fragile. Less bloat, more stability please; let's deliver a 100% functional and stable motherboard first and then worry about adding "features".

If they want a fancy GUI and there's not enough onboard storage, they could make an .efi software to boot to that would reside on your storage efi partition with that fancy gui minus exploitations while you run your usual system.

The Windows package installer could do just that, place the .efi file and a shortcut to make next boot going straight to this.