cbcvebase.
CVE-2018-19320
published 2018-12-21

CVE-2018-19320: The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-11-14
Exploited in the wild
EPSS
3.60%
88.0th percentile
The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.

Affected

4 ranges
VendorProductVersion rangeFixed in
gigabyteaorus_graphics_engine< 1.571.57
gigabyteapp_center< 19.0422.119.0422.1
gigabyteoc_guru_ii
gigabytextreme_gaming_engine< 1.261.26

Detection & IOCsextracted from sources · hover to see the quote

filenameGDrv
  • Monitor for loading of the GDrv low-level driver (GDrv kernel driver), which exposes ring0 memcpy-like functionality via IOCTLs. Presence of this driver being loaded — especially by non-GIGABYTE/non-vendor processes — is a strong indicator of BYOVD (Bring Your Own Vulnerable Driver) abuse.
  • RobbinHood ransomware group was observed leveraging this CVE (CVE-2018-19320) via the GDrv driver to subvert kernel memory settings and delete cybersecurity defenses. Hunt for ransomware precursor activity combined with vulnerable driver load events.
  • Enable monitoring of user-mode interaction with vulnerable device drivers via IOCTLs (Additional User-Mode Data / AUMD). IOCTL calls to the GDrv driver from unexpected user-mode processes are a key detection signal for exploitation of CVE-2018-19320.
  • ·The vulnerable driver (GDrv) is legitimately signed by GIGABYTE. Detection must account for the fact that the driver may appear legitimate; context of who is loading it and what IOCTL calls follow is critical to avoid false positives.
  • ·Affected product versions are: GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08. Detections should target these specific version ranges.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.