Full Report
The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed. [...]
Analysis Summary
# Vulnerability: ASUS DriverHub Arbitrary Command Execution via Malicious Sites
## CVE Details
- CVE ID: Not explicitly provided in the summary, but multiple CVEs were submitted by the vendor for this issue.
- CVSS Score: Not explicitly provided in the summary.
- CWE: Likely related to Improper Input Validation or Code Execution (e.g., CWE-20, CWE-94).
## Affected Systems
- Products: ASUS DriverHub
- Versions: Unspecified vulnerable versions prior to the patch release.
- Configurations: Systems with ASUS DriverHub installed.
## Vulnerability Description
The vulnerability exists in ASUS DriverHub, which allows remote, unauthenticated attackers to execute arbitrary commands with administrator privileges on the host system.
The flaw is rooted in how DriverHub processes responses when visiting malicious websites. An attacker can craft a website that triggers command execution. The mechanism involves directing the legitimate, ASUS-signed `AsusSetup.exe` installer (which runs with admin rights) to use a malicious configuration file (`.ini`) downloaded from the threat actor's site. This `.ini` file subsequently directs the legitimate installer to launch a malicious executable payload. Furthermore, the failure of the tool to delete files that fail signature checks (like the malicious `.ini` and payload) persists the threat on the system.
## Exploitation
- Status: Not exploited in the wild (based on monitoring certificate transparency updates).
- Complexity: Medium (Requires manipulation of user browsing activity directing the background service).
- Attack Vector: Network (User must visit a specially crafted website).
## Impact
- Confidentiality: High (Admin code execution allows full system compromise).
- Integrity: High (Admin code execution allows modification of any system file or setting).
- Availability: High (Admin code execution allows system disruption or ransomware installation).
## Remediation
### Patches
- ASUS released an update for ASUS DriverHub. Users are advised to open ASUS DriverHub and click the "Update Now" button to get the latest version.
### Workarounds
- Users uncomfortable with the background service automatically fetching files upon visiting websites may disable ASUS DriverHub from their BIOS settings.
## Detection
- Indicators of Compromise: Presence of unsigned or unexpected `.ini` or executable files related to the driver installation process following website visits, especially if the signature verification failed.
- Detection methods and tools: Monitoring process execution originating from ASUS DriverHub components that executes external files or utilizes configuration files that have not been subsequently cleaned up.
## References
- Vendor Advisory: blespingcomputer.com/news/security/asus-driverhub-flaw-let-malicious-sites-run-commands-with-admin-rights/
- Vendor Security Bulletin: asus.com/content/asus-product-security-advisory/