Software update for Potential security vulnerabilities in GIGABYTE software

CVE-2018-19320, CVE-2018-19321, CVE-2018-19322, CVE-2018-19323 , CVE-2019-7630
2020/05/18

Summary:

Potential security vulnerabilities in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes functionality to read and write Machine Specific Registers (MSRs). These could allow a local attacker to take complete control of the affected system. GIGABYTE is releasing software updates to mitigate these potential vulnerabilities.

 

Vulnerability Details:

CVEID: CVE-2018-19320

Description: The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.

 

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

CVEID: CVE-2018-19321

Description: The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges.

 

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

CVEID: CVE-2018-19322

Description: The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read/write data from/to IO ports. This could be leveraged in a number of ways to ultimately run code with elevated privileges.

 

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

CVEID: CVE-2018-19323

Description: The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges.

 

CVSS Base Score: 9.8 Critical

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

 

CVEID: CVE-2019-7630

Description: An issue was discovered in gdrv.sys in Gigabyte APP Center before 19.0227.1. The vulnerable driver exposes a wrmsr instruction via IOCTL 0xC3502580 and does not properly filter the target Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges.

 

CVSS Base Score: 7.2 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

 

 

Affected Products:

GIGABYTE APP Center v1.05.21 and earlier.

AORUS GRAPHICS ENGINE before 1.57.

XTREME GAMING ENGINE before 1.26.

OC GURU II v2.08.

 

Recommendations:

GIGABYTE recommends that users of those impacted software update to the relative version as below descriptions.

 

GIGABYTE APP Center B19.0422.1 or later,

AORUS GRAPHICS ENGINE 1.57 or later,

XTREME GAMING ENGINE 1.27 or later,

OC GURU II v2.08, the utility is no longer available.

 

Updates are available for download at these locations:

APP Center, AORUS GRAPHICS ENGINE and XTREME GAMING ENGINE

https://www.gigabyte.com/Support/Utility/Graphics-Card

https://www.gigabyte.com/Support/Utility/Motherboard

 

For any further assistance regarding this issue please contact your GIGABYTE sales representative, or create a new support ticket at https://esupport.gigabyte.com