Turns out RGB lighting might not be all that harmless after all. An independent security audit has shed light on seven vulnerabilities affecting five different software packages from Asus and Gigabyte, including the Aura Sync RGB controller software. Despite being aware of the flaws for many months in private, neither Gigabyte or Asus has entirely patched out the bugs even now that the disclosure period has ended.
Asus was informed of the bugs within its software back in April 2018 by SecureAuth: a security firm that specialises in “access management, identity governance, and penetration testing”. Multiple vulnerabilities with the GLCKIo and Asusgio drivers were found after rooting around in Asus’ code, leaving the Aura Sync v1.07.22 package (and potentially earlier versions) open to nefarious actors.
The firm also informed Gigabyte that various of its software packages were open to attackers, however, the company denies any vulnerabilities affect its software. The report indicates that the Gigabyte App Centre, Aorus Graphics Engine, Extreme Gaming Engine, and OC Guru II were all vulnerable due to flaws in the GPCIDrv and GDrv drivers.
Across its reports, SecureAuth (via BleepingComputer) has shown proof of concept as to how these vulnerabilities could be taken advantage of – with potentially disastrous consequences. The flaws in Asus’ system could allow a user to run code with elevated privileges on a system, meanwhile the flaws in Gigabyte’s software could potentially lead to a local attacker taking complete control of an affected system.
Neither Asus or Gigabyte have offered up a fix or workaround to all of the alleged bugs at this time.
“Gigabyte responded that, according to its PM and engineers, its products are not affected by the reported vulnerabilities,” a report timeline from SecureAuth says.
Asus informed SecureAuth the vulnerabilities were fixed in a later update. However, after another prod into the drivers, the security firm noted that only one vulnerability had been fixed. This was the last interaction reported by SecureAuth between the two companies.
Similar flaws were also exposed within ASRock’s software a few months ago by the same firm. However, ASRock responded to the threat in due time with an update that patched up the vulnerabilities before the flaw was made public.
It’s usual operating procedure to inform a company of a security vulnerability before disclosing that information to the entire world. This disclosure period can typically last anywhere from 90 days to six months.
Security vulnerabilities and disclosure periods have become a hot topic in 2018 ever since massive security flaws nicknamed Spectre and Meltdown entered the public gaze in January. These issues rocked the security and semiconductor worlds and are still affecting security policy and engineering strategy for Intel, AMD, and ARM to this day.