Jump to content

Security vulnerability in current version of CPU-Z

networkArchitect
By networkArchitect
in Tech News
 Share
Posted

A vulnerability in CPUID CPU-Z has been reported under CVE-2017-15302. This vulnerability allows for arbitrary reading/writing of locations in memory without proper permissions. At the time of writing (10/15/2017) there is currently no fix available. IMO this isn't anything to panic over quite yet, though if you're super paranoid uninstalling and waiting for a fix to be released might be a good idea. 

 

CVE Report: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15302

Slightly more info: https://github.com/akayn/Bugs/tree/master/CVE-2017-15302

 

Quote

In CPUID CPU-Z through 1.81, there are improper access rights to a kernel-mode driver (e.g., cpuz143_x64.sys for version 1.43) that can result in information disclosure or elevation of privileges, because of an arbitrary read of any physical address (ioctl: 0x9C402604). Any application running on the system (Windows), including sandboxed users, can issue an ioctl to this driver without any validation. Furthermore, the driver can map any physical page on the system and returns the allocated map page address to the user: that results in an information leak and EoP. NOTE: the vendor indicates that the arbitrary read itself is intentional behavior (for ACPI scan functionality); the security issue is the lack of an ACL.

 

 

"/usr/local/bin/coffee.sh" Missing – Insert Cup and Press Any Key

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Doesn't seem like that big of a deal tbh.

Main Gaming PC (new): HP Omen 30L || i9 10850K || RTX 3070 || 512GB WD Blue NVME || 2TB HDD, 4TB HDD, 8TB HDD ||  750W P2 ||  16GB HyperX Black DDR4

Main Gaming PC (old, still own) : Intel Core i7 7700K @5.0Ghz || GPU: GTX 1080 Seahawk EK X || Motherboard: Maximus VIII Impact || Case: Fractal Design Define Nano S || RAM : 32GB Corsair Vengeance LPX 

Cooling: EK XRES D5 100mm || Alphacool ST30 280mm w/ Vardars || Alphacool ST30 240mm w/ Vardars || Swiftech 3/8 x 1/2'' Lok-Seal Compressions || Swiftech EVGA Hydrocopper Block || Primochill Advanced LRT Orange || Distilled Water

Folding@Home Rig: 2x X5690s @4.6Ghz || GPUs: 2x Radeon HD 7990 || Motherboard: EVGA SR-2 || Case: Corsair 900D || RAM: 48GB Corsair Dominator GT 2000Mhz CL9

Ethereum Mining Rig: Pentium G4400 || Gigabyte Z170X-UD5 TH || 2x GTX 1060s (Samsung & Hynix) 1x GTX 1070 (Micron), 2x RX480s BIOS modded (Samsung), 1x R9 290X 8GB, 1x GTX 1660 Super = ~ 195 Mh/s

Peripherals: 3x U2412M (5760x1200), 1x U3011 (2560x1600) || Logitech G710 (Cherry Blues) || Logitech G600 || Brainwavz HM5 with @Gofspar Mod 

Laptop: Dell XPS 15 || "Infinity Edge" 4K IPS Screen || i7 7700HQ || GTX 1050 || 16GB 2400Mhz RAM 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
37 minutes ago, arnavvr said:

Doesn't seem like that big of a deal tbh.

LOL. The CPU-Z driver can be called by third party applications to read memory (without any sort of validation). Not a big deal, yeah. /s

▶ Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. - Einstein◀

Please remember to mark a thread as solved if your issue has been fixed, it helps other who may stumble across the thread at a later point in time.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

One of the reasons I'm glad I use the zip version of CPU-Z, instead of the installer version.  Frankly, there's no real reason to actually install CPU-Z, considering everything works fine without being installed.

https://linustechtips.com/main/topic/449522-smoking-barrels-ltts-unnofficial-gun-club/

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Jito463 said:

One of the reasons I'm glad I use the zip version of CPU-Z, instead of the installer version.  Frankly, there's no real reason to actually install CPU-Z, considering everything works fine without being installed.

Convenience is the reason to install it. 

 

There are many applications that have fully capable portable versions, and they certainly have their use case.

 

I use portable apps all the time at work on a USB drive. But on a permanent system I prefer to install where possible. 

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
17 minutes ago, dalekphalm said:

Convenience is the reason to install it. 

 

There are many applications that have fully capable portable versions, and they certainly have their use case.

 

I use portable apps all the time at work on a USB drive. But on a permanent system I prefer to install where possible. 

Wouldn't that be the same thing, except that you have to click more times? o.O

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
24 minutes ago, dalekphalm said:

Convenience is the reason to install it. 

 

There are many applications that have fully capable portable versions, and they certainly have their use case.

 

I use portable apps all the time at work on a USB drive. But on a permanent system I prefer to install where possible. 

Generally speaking, yeah.

 

But seriously how often do you really need to open CPU-Z? If you need the info just take a screenshot of it after any upgrade or new clock or whatever. If you need to benchmark again, assuming you can't use other benchmarks for most people after you get the stable clocks you want you probably don't need to keep testing.

 

I mean it sucks for hardware vendors and reviewers but outside of it there's not much point in keeping it installed for now, specially before this hole is even patched.

-------

Current Rig

-------

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, BDev said:

Wouldn't that be the same thing, except that you have to click more times? o.O

The first time? Sure. But after that? Of course not, unless you store the folder on your desktop. 

 

1 hour ago, Misanthrope said:

Generally speaking, yeah.

 

But seriously how often do you really need to open CPU-Z? If you need the info just take a screenshot of it after any upgrade or new clock or whatever. If you need to benchmark again, assuming you can't use other benchmarks for most people after you get the stable clocks you want you probably don't need to keep testing.

 

I mean it sucks for hardware vendors and reviewers but outside of it there's not much point in keeping it installed for now, specially before this hole is even patched.

True enough - in this case, the risk of the flaw outweighs the convenience of an install for a program - as you correctly point out - that will rarely get used. 

For Sale: Meraki Bundle

 

iPhone Xr 128 GB Product Red - HP Spectre x360 13" (i5 - 8 GB RAM - 256 GB SSD) - HP ZBook 15v G5 15" (i7-8850H - 16 GB RAM - 512 GB SSD - NVIDIA Quadro P600)

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 hours ago, dalekphalm said:

The first time? Sure. But after that? Of course not, unless you store the folder on your desktop. 

 

True enough - in this case, the risk of the flaw outweighs the convenience of an install for a program - as you correctly point out - that will rarely get used. 

Agree.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×