CVE-2018-19320
published 2018-12-21CVE-2018-19320: The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-11-14
Exploited in the wild
EPSS
3.60%
88.0th percentile
The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gigabyte | aorus_graphics_engine | < 1.57 | 1.57 |
| gigabyte | app_center | < 19.0422.1 | 19.0422.1 |
| gigabyte | oc_guru_ii | — | — |
| gigabyte | xtreme_gaming_engine | < 1.26 | 1.26 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for loading of the GDrv low-level driver (GDrv kernel driver), which exposes ring0 memcpy-like functionality via IOCTLs. Presence of this driver being loaded — especially by non-GIGABYTE/non-vendor processes — is a strong indicator of BYOVD (Bring Your Own Vulnerable Driver) abuse. ↗
- →RobbinHood ransomware group was observed leveraging this CVE (CVE-2018-19320) via the GDrv driver to subvert kernel memory settings and delete cybersecurity defenses. Hunt for ransomware precursor activity combined with vulnerable driver load events. ↗
- →Enable monitoring of user-mode interaction with vulnerable device drivers via IOCTLs (Additional User-Mode Data / AUMD). IOCTL calls to the GDrv driver from unexpected user-mode processes are a key detection signal for exploitation of CVE-2018-19320. ↗
- ·The vulnerable driver (GDrv) is legitimately signed by GIGABYTE. Detection must account for the fact that the driver may appear legitimate; context of who is loading it and what IOCTL calls follow is critical to avoid false positives. ↗
- ·Affected product versions are: GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08. Detections should target these specific version ranges. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
GIGABYTE Multiple Products Unspecified Vulnerability
cisa·2022-10-24·CVSS 7.8
CVE-2018-19320 [HIGH] GIGABYTE Multiple Products Unspecified Vulnerability
Vulnerability: GIGABYTE Multiple Products Unspecified Vulnerability
Affected: GIGABYTE Multiple Products
The GDrv low-level driver in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU II exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.
Required Action: Apply updates per vendor instructions.
Notes: https://www.gigabyte.com/Support/Security/1801; https://nvd.nist.gov/vuln/detail/CVE-2018-19320
Remediation Due Date: 2022-11-14
GHSA
GHSA-wg2v-fx2j-3jrr: The GDrv low-level driver in GIGABYTE APP Center v1
ghsa_unreviewed·2022-05-13
CVE-2018-19320 [HIGH] GHSA-wg2v-fx2j-3jrr: The GDrv low-level driver in GIGABYTE APP Center v1
The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.
VulnCheck
GIGABYTE Multiple Products Unspecified Vulnerability
vulncheck·2018·CVSS 7.8
CVE-2018-19320 [HIGH] GIGABYTE Multiple Products Unspecified Vulnerability
GIGABYTE Multiple Products Unspecified Vulnerability
The GDrv low-level driver in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU II exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.
Affected: GIGABYTE Multiple Products
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/; https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/; https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/; https://thehackernews.com/2022/10/blackbyte-ransomware-abuses-vulne
No detection rules found.
No public exploits indexed.
http://seclists.org/fulldisclosure/2018/Dec/39http://www.securityfocus.com/bid/106252https://www.gigabyte.com/Support/Security/1801https://www.gigabyte.com/tw/Support/Utility/Graphics-Cardhttps://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilitieshttp://seclists.org/fulldisclosure/2018/Dec/39http://www.securityfocus.com/bid/106252https://www.gigabyte.com/Support/Security/1801https://www.gigabyte.com/tw/Support/Utility/Graphics-Cardhttps://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilitieshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19320
2018-12-21
Published
2022-10-24
Added to CISA KEV
Exploited in the wild