Attacker Value
High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
0

CVE-2019-7244

Disclosure Date: March 25, 2020
CVE-2019-7244 CVSS v3 Base Score: 7.2
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in kerneld.sys in AIDA64 before 5.99. The vulnerable driver exposes a wrmsr instruction via IOCTL 0x80112084 and does not properly filter the Model Specific Register (MSR). Allowing arbitrary MSR writes can lead to Ring-0 code execution and escalation of privileges.

Add Assessment

6
Ratings
  • Attacker Value
    High
  • Exploitability
    Very Low
Gives privileged accessUnauthenticatedDifficult to weaponizeRequires user interaction
Technical Analysis

This vulnerability takes advantage of an exposed IOCTL code (0x80112084) within the kerneld.sys driver that’s included within AIDA64. One of the control registers in the x86 instruction set is known as the MSR, the Model specific register is used for debugging, program execution tracing, computer performance monitoring and managing and toggling certain CPU functionality.. This driver instructs a binary to modify this register on the victim system, and successful exploitation of this vulnerability can allow for ring-0 code execution from an unauthorized and unauthenticated user mode standpoint. Successful exploitation of an exposed write WRMSR instruction can give us a pointer overwrite primitive. Because this driver does not appropriately filter access to MSRs which will allow an attacker to overwrite It and our pointer is called in ring-0.

The commonly used technique for this, is an attacked will use this R/W from the physical MSR register, and use that to traverse SYSTEM processes EPROCESS structure for SYSTEM level tokens, and either spawning a new process or swapping the new SYSTEM token with their current processes.

On January 1st FireEye contacted the vendor with disclosure of the vulnerability. And on November 4th, 2019 FireEye verified that the issue was successfully resolved.

The recommended mitigation is to update your current AIDA64 with the latest provided version of the software.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis