Security: Asus and Gigbyte drivers exploitable

[justpoet]

In short, asus and gigabyte have security issues in drivers/software commonly seen, including aura sync, which allow for an attacker to gain administrative or system level privledges, and they have either dismissed the issues or only appear to have partially fixed them in their latest releases.

 

https://www.bleepingcomputer.com/news/security/asus-gigabyte-drivers-contain-code-execution-vulnerabilities-pocs-galore/

 

Quote

Four drivers from ASUS and GIGABYTE come with several vulnerabilities that can be leveraged by an attacker to gain higher permissions on the system and to execute arbitrary code.

In total, there are seven vulnerabilities affecting five software products, and researchers wrote exploit code for each of them. Many of them might still be unaddressed.

Two of the vulnerable drivers are installed by the Aura Sync software (v1.07.22 and earlier) from ASUS and the flaws they carry can be exploited for local code execution.

The drivers from GIGABYTE are distributed with motherboards and graphics cards of the same brand as well as from the company's subsidiary, AORUS.

The vulnerabilities lead to privilege escalation via software like the GIGABYTE App Center (v1.05.21 and below), AORUS Graphics Engine (v1.33 and below), the XTREME Engine utility (v1.25 and earlier), and OC Guru II (v2.08).

Quote

The security company asked for clarifications when it noticed that an update for Aura Sync in April still included the security faults. A subsequent release for the software became available, spotted in May, and SecureAuth determined that it fixed only one of the three problems.

 

[RejZoR]

I don't use any because frankly, all of them are absolute garbage. It's like asian companies have absolutely no concept of making half good software. I have the AORUS GTX 1080Ti and "AORUS Graphics Engine" thing for overclocking has been an absolute failure since the day I got the graphic card.

 

On boot it would make everything stutter and lag because it would show a circle with "Loading" in the middle. Min/Max reset as soon as value goes out of the graph, clicking things lags whole damn thing, parameters are all glitchy and pretty much random, creating profiles is retarded and glitchy and recently they introduced some stupid separate RGB whatever that spawns like 10 errors every time I want to run the god damn thing. It's like, WTF Gigabyte, what the hell are you even doing?!

 

Not that others are any better. ASUS's OC tool, GPUTweak was no better and loaded with retardations and bugs and so is MSI software. It's all buggy glitchy horrifying mess starting ewith their damn Spectre/Meltdown BIOS that they cocked up for X99 Gaming7 to cause bunch of system crashing and BSOD's and they still have that shit online. Only good thing is MSI Afterburner because it's outsourced anyway using RivaTuner...

[Fnige]

Consumer: "HEY, YOU GOT PROB-"

Company: "Don't care, never will"

[PopReference]

Of course it's the RGB software, I've tried both and they're both annoying and I can easily see that didn't put any effort into it. Haven't had a chance to try the other Gig software but I'm not surprised it would have similar issues.

Hope this will lead to them at least putting something better together, but I won't get my hopes up. 

[GameOverman]

i had a lighting file trigger the anti cheat software in dbd lol havent played the game in a few months because of that. thanks asus

[DeScruff]

Ugh thats annoying.
The RGB controls in Gigabyte's bios are extremely lacking (No way to adjust brightness, or adjust the header separately from the board) Not to mention their fan controls...

[ZacoAttaco]

I think as time goes on, more exploits will become known, these kind of stories deserve more attention. For most users, they're not an issue, until it is.

[vorticalbox]

23 hours ago, SlimyPython said:

Consumer: "HEY, YOU GOT PROB-"

Company: "Don't care, never will"

That's not completely accurate, they did fix 1/3. So the care a little just not enough.

 

Just need a nice doubt of ransomware that exploits driver cve and we will get a big over haul of security fixes.

 

 

[Billy Pilgrim]

As someone with a gigabyte mb and graphics card is there anything I can do about this?

[Ashleyyyy]

and this is why Mac's are regarded more secure than pc's lol... if even your drivers contain security holes you've done an oopsie... 

[Trik'Stari]

Glad I went with EVGA for my 1080ti and ASRock for my mobo.

 

I don't use the RGB on the mobo, or my ram's RGB because it's too bright. And my EVGA 1080ti has a water cooler with no LED's on it now.

 

 

I shilled out the money and ended up using none of it.

 

4 hours ago, firelighter487 said:

and this is why Mac's are regarded more secure than pc's lol... if even your drivers contain security holes you've done an oopsie... 

No, there you just have a company that charges more than the price of the original product to repair even the slightest issue. As well as refusing to address or outright ignoring vulnerabilities all together because "can't happen, we're perfect".

[Ashleyyyy]

3 minutes ago, Trik'Stari said:

No, there you just have a company that charges more than the price of the original product to repair even the slightest issue. 

so if I were to buy an iPhone XS, walk out of the apple store, drop it and crack the screen it would cost me more to have the screen fixed than just buying an entirely new phone?

 

5 minutes ago, Trik'Stari said:

As well as refusing to address or outright ignoring vulnerabilities all together because "can't happen, we're perfect".

source?

[Trik'Stari]

8 minutes ago, firelighter487 said:

so if I were to buy an iPhone XS, walk out of the apple store, drop it and crack the screen it would cost me more to have the screen fixed than just buying an entirely new phone?

 

source?

Possibly and:

 

https://arstechnica.com/information-technology/2018/12/4-months-after-its-debut-sneaky-mac-malware-went-undetected-by-av-providers/

 

As to repairs, I repair laptops for a living and have for almost 3 years now (will be 3 years in April). I watched the video CBS did on Apple's supposed repair policies, and I've seen some of the question and answers for their certification process (I am not apple certified, but I have coworkers who are and I've seen the absolutely ridiculousness that is the Apple cert process) and I can say without a doubt, that Apple goes out of their way to refuse repairs.

 

To be fair, other OEM's do this as well, but to a lesser extent. They rely on the sale of extended warranties for profit, and merely hope that the total repairs needed is less than what the customer paid for the extended warranty on a bulk order of laptops/devices. Some of them are getting quite good at ensuring that only the cheaper parts are common breakages.

 

Disclosure: I work for a bulk repair facility directly servicing large enterprises. Some of our larger customers have tens of thousands of devices. The most I've seen come in from some customers was upwards of 200 a day. I cannot name customers or the OEM's they use. We don't do a lot of Apple stuff because Apple is out of the gate, too expensive for some customers. Those that are willing to pay out are generally smaller and have more responsible users.

 

That being said, I can completely see how Apple would want to charge $1,500 for something as trivial to fix as a bent pin on an LCD/Video cable.

[d3adc3II]

On 12/24/2018 at 6:58 PM, Billy Pilgrim said:

As someone with a gigabyte mb and graphics card is there anything I can do about this?

Just install a good security software ( Symantec, Kaspersky) and it's enough.

 

Such kind of security exploit news are all over the Internet nowadays.

 

Windows sure has security holes

Some wifi drivers have security exploits

Asus, Gigabyte also have

 

As an end user, should you worry about it ? No. Be happy and remember to sleep well.

[Trik'Stari]

5 minutes ago, d3adc3II said:

Just install a good security software ( Symantec, Kaspersky) and it's enough.

 

Such kind of security exploit news are all over the Internet nowadays.

 

Windows sure has security holes

Some wifi drivers have security exploits

Asus, Gigabyte also have

 

As an end user, should you worry about it ? No. Be happy and remember to sleep well.

My advice:

 

Make sure you use a good VPN?

[Ashleyyyy]

7 minutes ago, Trik'Stari said:

To be fair, other OEM's do this as well, but to a lesser extent.

so your entire argument is other company's do the same bad stuff but apple does worse bad stuff?

 

8 minutes ago, Trik'Stari said:

That being said, I can completely see how Apple would want to charge $1,500 for something as trivial to fix as a bent pin on an LCD/Video cable.

I think we both agree that was pretty bad... 

 

9 minutes ago, Trik'Stari said:

and:

 

https://arstechnica.com/information-technology/2018/12/4-months-after-its-debut-sneaky-mac-malware-went-undetected-by-av-providers/

if I understand correctly that malware did get detected by macOS's built-in AV... they use didn't tell others about it. I could be wrong though...

 

[Trik'Stari]

6 minutes ago, firelighter487 said:

so your entire argument is other company's do the same bad stuff but apple does worse bad stuff?

 

I think we both agree that was pretty bad... 

 

if I understand correctly that malware did get detected by macOS's built-in AV... they use didn't tell others about it. I could be wrong though...

-snip

I know they're worse because I've seen their training and I've seen what they accept or reject under warranty. Hell it's a known issue that some of their shit is coming bent from the factory, a known hardware defect, and they're refusing to cover that under warranty. Unless something has changed since that came out like a week or so ago.

 

Agreed.

 

And at best, you're describing them as anti-competitive and largely unhelpful to both their users and the rest of the industry.

 

I could go into this further, but I think we can agree to disagree at this point as we would devolve the topic farther.

 

Hardware companies apparently suck at creating secure software.

[Billy Pilgrim]

11 hours ago, d3adc3II said:

Just install a good security software ( Symantec, Kaspersky) and it's enough.

 

Such kind of security exploit news are all over the Internet nowadays.

 

Windows sure has security holes

Some wifi drivers have security exploits

Asus, Gigabyte also have

 

As an end user, should you worry about it ? No. Be happy and remember to sleep well.

Ok.

What do you think about malwarebytes?

[mxk]

Its interesting, because Gigabyte actually just released their RGB RUSION 2.0 version, and it seems that they didn't even bother to worry about this stuff.

[Fasauceome]

I got trident Z rgb as my only RGB doodad to avoid using any intrusive software, I hope trident Z control is safe.

[fogSource]

Is it theoretically possible for Gigabyte or Asus to use these vulnerabilities to spy on users of their motherboards without their knowledge? 

 

 

[ZacoAttaco]

3 minutes ago, fogSource said:

Is it theoretically possible for Gigabyte or Asus to use these vulnerabilities to spy on users of their motherboards without their knowledge?

My uneducated guess would be yes, although I don't know if current boards are equipped with that technology.

 

I think back to the story of Super Micro servers that were sent out to companies like Apple and Amazon, they had a secret telemetry chip embedded and it would 'allegedly' send information back to China, so it's possible. Here's the story if you want to read more on it:

 

[fogSource]

Just now, ZacoAttaco said:

My uneducated guess would be yes, although I don't know if current boards are equipped with that technology.

 

I think back to the story of Super Micro servers that were sent out to companies like Apple and Amazon, they had a secret telemetry chip embedded and it would 'allegedly' send information back to China, so it's possible. Here's the story if you want to read more on it:

 

Oh wow, that's a third mobo maker to scratch off my list.  

 

EVGA here I come... 

[ZacoAttaco]

1 minute ago, fogSource said:

Oh wow, that's a third mobo maker to scratch off my list.  

 

EVGA here I come... 

Yeah well I think Super Micro is more enterprise stuff. Not high-performance consumer as much. I have an Asus Z97-A board, I've been very happy with it. I'd stay away from Gigabyte though... MSI could be an option too.