Asus and Gigabyte Drivers Allegedly Contain Serious Security Vulnerabilities

Discussion in 'HardForum Tech News' started by AlphaAtlas, Dec 20, 2018.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,713
    Joined:
    Mar 3, 2018
    BleepingComputer reports that SecureAuth published "driver elevation of privilege" vulnerabilities for desktop Gigabyte and Asus motherboards. According to the Asus report, multiple vulnerabilities were found in the GLCKIo and Asusgio drivers that the company's Aura Sync RGB control software installs. SecureAuth notified Asus over a year ago, but didn't immediately receive a response. 2 months and 3 emails later, Asus asked for technical details, reportedly released an update in April that only fixed one of the two major vulnerabilities, and didn't respond to any more emails. Meanwhile, after sending multiple emails, SecureAuth received a response from Gigabyte asking SecureAuth to open a support ticket. SecureAuth said they wished to keep correspondence private, and then Gigabyte claimed "that Gigabyte is a hardware company and they are not specialized in software." The security company sent over a draft of the vulnerability anyway, Gigabyte responded by saying the draft was too vague and asked for a phone contact, and 2 months later, Gigabyte claimed that "its products are not affected by the reported vulnerabilities."

    SecureAuth published proof of concept code for both the Asus and Gigabyte vulnerabilities, and according the report, the affected Asus and Gigabyte drivers are still vulnerable. Non privileged users that are "even running at LOW INTEGRITY" can allegedly abuse the exploits and "take complete control of the affected system."

    Thanks to Schtask for the tip.
     
    Last edited: Dec 20, 2018
  2. B00nie

    B00nie [H]ardness Supreme

    Messages:
    7,909
    Joined:
    Nov 1, 2012
    Another example why less is more and bloat sucks.
     
    Sulphademus, GSDragoon and PaulP like this.
  3. SJetski71

    SJetski71 [H]ardForum Junkie

    Messages:
    14,389
    Joined:
    Sep 6, 2002
    Scratch Gigabyte and Asus off my off my short term shopping list, hello MSI.

    Get your acts together, dummies, because you two are literally asking for problems. You lost that critical moment to make yourselves look good.
     
    Sulphademus, PaulP and /dev/null like this.
  4. mkk

    mkk [H]Lite

    Messages:
    92
    Joined:
    Jun 20, 2018
    These companies may have come up with some nifty software features in recent years, but the quality of the code or installer packaging has often been sketchy.
    Evade every bit that you don't really need. Check for instance if the BIOS controls can be good enough by itself even if it's limited.
     
    PaulP likes this.
  5. Solhokuten

    Solhokuten [H]ard|Gawd

    Messages:
    1,213
    Joined:
    Dec 9, 2009
    Well thats terrible news for me. I just got a new Gigabyte board, I guess ill uninstall the software tonight.
     
  6. Absalom

    Absalom Gawd

    Messages:
    661
    Joined:
    Oct 3, 2007
    Just a FYI, some other brands out there also incorporate these software APIs to drive their own RGB lights.

    I just double checked, and indeed, G.Skill's RGB control software I'm currently using has the GLCKIo.dll in its folder. YMMV.
     
    mkk likes this.
  7. Elf_Boy

    Elf_Boy 2[H]4U

    Messages:
    2,337
    Joined:
    Nov 16, 2007
    Sounds like the Asus support I know.

    Corporate culture makes it bad to report a problem.
     
  8. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016
    LOL.. this is a joke, right?

    so let me get this straight.. you install RGB control software on your computer.. something not a normal non admin end user is going to do.. its going to be a gamer running as ADMINISTRATOR on his own rig.

    Then .. to exploit these "critical" vulnerabilities, one has to then be running malicious code to exploit said vulnerability

    Well.. there is the ONLY issue here.. your running malicious code

    :rolleyes:
     
  9. Nenu

    Nenu [H]ardened

    Messages:
    18,843
    Joined:
    Apr 28, 2007
    Interesting.
    My GSkill Ripjaws MX780 RGB keyboard has their software installed and that dll does not exist on my system drive.
    I am on version 2.03
    Just checked, this is the latest release from 2017.
     
  10. damicatz

    damicatz 2[H]4U

    Messages:
    2,708
    Joined:
    Aug 22, 2004
    I don't think you quite understand the exploit.

    Administrator != Ring 0. This allows for malicious kernel mode code to be executed. Ring 0 is basically unmitigated access to the computer hardware which is actually higher than administrator and basically allows for the system to be rooted at a very low level (bypassing the normal signing requirements for running kernel mode code).
     
    readeh, PaulP and windianrecords like this.
  11. travisty

    travisty Gawd

    Messages:
    815
    Joined:
    Feb 3, 2016
    Oh nice. Another reason for me to jump on the rgb lightshow bandwagon!

    ...
     
  12. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016

    but it is still relying on YOU running malicious code on your computer.

    irregardless of anything else.. if you are running malicious code on your computer.. you are already compromised
     
  13. B00nie

    B00nie [H]ardness Supreme

    Messages:
    7,909
    Joined:
    Nov 1, 2012
    No, it only requires YOU to visit any infected site on the internet and it will run the code FOR you. Or preview an infected e-mail on your outlook/whatever client. Or install an infected USB stick (some come preinfected from the factory) etc.
     
    PaulP and DeathFromBelow like this.
  14. darckhart

    darckhart Limp Gawd

    Messages:
    237
    Joined:
    Jun 15, 2013
    "we're a hardware company not a software company" AHAHAHA so you get to ignore what's really happening and live in your own bubble? sounds a lot like facebook. "oh no we're not a news and media company" except majority of people get their news from facebook now so yea...... TAKE SOME RESPONSIBILITY COMPANIES.
     
    DocNo and PaulP like this.
  15. DeathFromBelow

    DeathFromBelow [H]ardness Supreme

    Messages:
    7,222
    Joined:
    Jul 15, 2005
    At least with Gigabyte you can set up the RGB LED colors in the BIOS without installing any crapware in the OS. Or is that only on certain boards?

    Remember the 'internet drive-by' attacks that were common in the Windows XP era? Vista introduced much stronger privilege escalation features, but malware can still exploit crappy drivers like this to get around it. You could unknowingly be infected just by visiting an infected page.
     
  16. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,713
    Joined:
    Mar 3, 2018
    ASRock had a similar security vulnerability, but they did patch it before it went public. So I wouldn't be suprised if MSI mobos had similar issues.

    I think the bigger message is "don't run RGB LED software (or other optional mobo drivers) if system security is really important"
     
  17. mufcfan

    mufcfan Limp Gawd

    Messages:
    245
    Joined:
    Feb 23, 2005
    I have a Gigabyte Z270 Gaming K3 board since last summer. NONE of their software works or ever worked for me except the drivers.
    They claimed that it works on the previous Win10 version, until they gave up and did not even post updates to their software anymore except for the soundcard drivers. (Which is obviously not theirs.)

    I have a good GPU from them, but I don't think I will want to buy their boards. My previous board was an ASUS (from the Sandy Bridge era) and I had far less issues and far more built-in functions.
    The security side is hard to judge though.
     
  18. Twisted Kidney

    Twisted Kidney 2[H]4U

    Messages:
    3,503
    Joined:
    Mar 18, 2013
    Fucking bloatware.
     
    DocNo likes this.
  19. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    14,147
    Joined:
    Mar 31, 2001
    Everyone needs to realize what you get from a motherboard manufacturer when you "build your own".

    * Customization
    * Speed
    * Overclocking
    * Choice

    What you DON'T get:

    * Bios updates past 12-18 months of product release.
    * Any other support period. This includes good code/secure code or even the cpu support or memory QVL being kept up to date on their website.

    Heaven forbid you actually find something like a bug in iommu or vt-d support.

    You either accept it or you don't.

    Not really sure why everyone is surprised. The last 4 people who have asked me for computers, I've bought them sub $200 haswell based Dells or HPs
     
  20. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,620
    Joined:
    Feb 3, 2014
    And here I am with an Asus MoBo in one hand and a Gigabyte GPU in the other with my cock just swinging in the wind....
     
  21. DeChache

    DeChache The ONE - Your Ignorance Annoys Me

    Messages:
    6,866
    Joined:
    Oct 30, 2005
    Well good thing I never install that RGB tools. Recently just swapped to a Gigabyte GFX from MSI because I couldn't justify an extra $50 bucks for brand preference....
     
  22. Oldmodder

    Oldmodder Gawd

    Messages:
    707
    Joined:
    Aug 24, 2018
    No sheeet Sherlock :rolleyes:
    My new computers was at the time ( a month or so ago ) based on one of the most expensive Gigabyte motherboards around, and their software for it are not good ( to put it mildly )
    RGB Fusion are not working well and are lackluster.
    Their APP center software are also bad, it keep saying some of my drivers have updates, but they don't and even if i update VIA APP center the same drivers still have updates.

    I would think that a company's highest end products was also the ones that had the most focus, but this don't seem to be the case with Gigabyte.
     
  23. Absalom

    Absalom Gawd

    Messages:
    661
    Joined:
    Oct 3, 2007
    Just to be clear, I'm using their tool (G.Skill's) which is specifically designed for configuring the RGB on their ram. Your keyboard probably uses a different tool altogether.

    Hence the YMMV.
     
  24. jardows

    jardows [H]ard|Gawd

    Messages:
    1,651
    Joined:
    Jun 10, 2015
    Better be buying them Optiplex or Prodesks, because everything else in the consumer line has as bad or worse support than given by the motherboard vendors, and usually it is worse.
     
  25. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    14,147
    Joined:
    Mar 31, 2001
    Optiplex is what I tend to stick with. on the HP side I like the "Z" workstation (single socket) series.
     
  26. GameLifter

    GameLifter Limp Gawd

    Messages:
    341
    Joined:
    Sep 4, 2014
    Good thing I uninstalled the ASUS Aura Sync software from my computer recently. It was giving me performance issues in games when I had it set to Rainbow mode which went away after setting it to a static color or disabling it. I decided to remove any doubt of it potentially causing other performance issues and uninstalled it.
     
  27. umeng2002

    umeng2002 Gawd

    Messages:
    923
    Joined:
    May 23, 2008
    Asian technology companies are not known for their software support. They seem to default to, "just buy the updated model" solution...
     
  28. jpcahn1

    jpcahn1 [H]Lite

    Messages:
    66
    Joined:
    Apr 17, 2014
    I usually buy Asus. This time I went MSI and now I feel like I won the Lottery!
     
  29. DocNo

    DocNo Gawd

    Messages:
    654
    Joined:
    Apr 23, 2012
    If you aren't a software company you aren't a hardware company either. No more Gigabyte stuff for me. I am disappointed in Asus. I thought they had it more together than this. Luckily this is for frivolous crap that can be deleted easily enough, but what if it's a BIOS issue next time? Are they going to have the same lack luster response?

    Ugh.
     
  30. DocNo

    DocNo Gawd

    Messages:
    654
    Joined:
    Apr 23, 2012
    Until you need to do an RMA. They have the worst process ever.

    I guess they could have improved it by now, but my god what a nightmare....

    I guess it is true none of these hardware companies now jack about software.
     
  31. Twisted Kidney

    Twisted Kidney 2[H]4U

    Messages:
    3,503
    Joined:
    Mar 18, 2013
    On a good number of Asus' video cards you have to run the RGB bloatware to turn OFF their lighting. Every. Time. You. Boot.

    Asus software is absolutely terrible to top it off.
     
  32. DeChache

    DeChache The ONE - Your Ignorance Annoys Me

    Messages:
    6,866
    Joined:
    Oct 30, 2005
    You might have to on this Gigabyte card to but the case doesn't have a window so I think its just sitting there and cycling through all the colors.
     
  33. Elf_Boy

    Elf_Boy 2[H]4U

    Messages:
    2,337
    Joined:
    Nov 16, 2007
    I have found the Asus utilities often don't work in part or whole even after updates.
     
  34. funkydmunky

    funkydmunky 2[H]4U

    Messages:
    2,363
    Joined:
    Aug 28, 2008
    Hardware makers have always had bloated poorly programmed software apps. I usually try to avoid it. Problem is the freeware/cheap alternatives may have similar issues.
     
  35. Absalom

    Absalom Gawd

    Messages:
    661
    Joined:
    Oct 3, 2007
    Updated all my RGB software and found out that my G.Skill ram's RGB lighting can now be controlled through Gigabyte's RGBFusion app. So I promptly nuked the G.Skill RGB app and any trace of the ASUS Aura software.

    If I'm going to have security holes and RGB lighting, I might as well narrow down the holes to just one.
    My Logitech G810 keyboard will continue to do a rainbow light show until the drivers load. I find this a disgusting trend amongst anything RGB.

    I don't mind a little even subtle RGB, but why is the default behavior always ON? And to add insult to injury, why does every mfg set their RGB default scheme to use the absolute worst effect?

    The default behavior should be OFF. But I guess the less tech savvy will bitch that their new RGB bling isn't working, so they RMA it? Blah.
     
    Last edited: Dec 20, 2018
  36. schoolslave

    schoolslave Gawd

    Messages:
    601
    Joined:
    Dec 7, 2010
    I've been saying it for years - all this bullshit code (RGB, auto overclock, etc etc) ASUS and others keep adding to the motherboards is incredibly insecure and fragile. Less bloat, more stability please; let's deliver a 100% functional and stable motherboard first and then worry about adding "features".
     
    Zulgrib likes this.
  37. Azphira

    Azphira [H]ard|Gawd

    Messages:
    1,822
    Joined:
    Aug 18, 2003
  38. Zulgrib

    Zulgrib n00b

    Messages:
    31
    Joined:
    Dec 11, 2018
    I guess Asus fixed one flaw from their but don't have source for the other affected driver.
     
  39. Zulgrib

    Zulgrib n00b

    Messages:
    31
    Joined:
    Dec 11, 2018
    Like it is highly difficult to make lamba people execute software on their computer.

    People will run anything asked blindly until they obtain what they want.
     
  40. Zulgrib

    Zulgrib n00b

    Messages:
    31
    Joined:
    Dec 11, 2018
    If they want a fancy GUI and there's not enough onboard storage, they could make an .efi software to boot to that would reside on your storage efi partition with that fancy gui minus exploitations while you run your usual system.

    The Windows package installer could do just that, place the .efi file and a shortcut to make next boot going straight to this.