Attacker Value
Low
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
3

CVE-2020-17382

Disclosure Date: October 02, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x80102040, 0x80102044, 0x80102050,and 0x80102054).

Add Assessment

4
Ratings
Technical Analysis

This is a vulnerability in the MSI AmbientLink Version 1.0.0.8. The vulnerability allows a regular user access to a Windows device created by the msio driver provided for the MSI Ambientlink system.
The software device is vulnerable to a buffer overflow attack because it assumes that the received buffer will always be less than 48 bytes, apparently, even when longer lengths are specified by the IOCTL request.
Realistically, as this software runs LED lights on MSI gaming motherboards, it is unlikely to pose a large threat to corporate environments and instead, poses a larger threat to home users or individually-managed PCs, making the patching process significantly easier. I imagine it is also possible to simply remove the software temporarily.
See https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities for a more in-depth analysis and PoC code.

3
Ratings
Technical Analysis

Whilst I agree with most of the points @bwatters-r7 makes on this one, I think it is also important to note that as of right now, there does not appear to be a patch for this vulnerability, as if one dives into the CoreSecurity pages they will see that according to CoreSecurity MSI never responded to their request. I can also confirm this by visiting https://www.msi.com/Landing/mystic-light-rgb-gaming-pc/download, and trying to download the latest version of AmbientLink, which at the time is 1.0.0.08. Looking at this ZIP file shows that it was last updated on 2019-10-14, aka October 14th 2019, and given that CoreSecurity moved to full disclosure on 2020-08-07, or August 7th 2020, I think its safe to say that this bug still hasn’t been patched.

Additionally its also important to note that the driver for this software will be signed in such a way that its still trusted by Microsoft machines. Therefore so long as you have permissions to install this driver on a system, you can still gain SYSTEM level code execution on pretty much any Microsoft machine you desire.

Of course the counter argument to this is really two fold. The first is that most of the time you won’t have permissions to install arbitrary software on the target machine, which kind of negates the point I made earlier. Additionally to @bwatters-r7 ’s point, this software is going to be typically installed on a home user’s gamer rig, which limits the number of users that will be affected by this bug and since gamers generally tend to like using the latest and greatest thing, they will be more inclined to apply the updates for this bug when it does get fixed.

So yeah overall feeling is that this is a medium as there is a severe impact, no patch, and working PoC’s for Windows 7 and Windows 10 from CoreSecurity,

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • msi

Products

  • ambientlink mslo64 firmware 1.0.0.8

Additional Info

Technical Analysis