A severe vulnerability was discovered in Asus's pre-installed software, Asus DriverHub. This software, designed to update drivers, contains a flaw allowing remote code execution (RCE) with a single click. An attacker could craft a malicious URL that, when opened by a user with DriverHub installed, would automatically download and execute arbitrary code with SYSTEM privileges. This effectively gives the attacker full control of the victim's computer. The vulnerability stems from DriverHub improperly using a hardcoded certificate to validate downloaded updates, allowing attackers to sign malicious updates. The researcher disclosed the issue responsibly to Asus, who have since released a patched version. Users are strongly urged to update their DriverHub software immediately.
Security researcher "mr. bruh" has disclosed a critical vulnerability, a Remote Code Execution (RCE) flaw, within ASUS's preinstalled driver update utility, ASUS Driver Hub. This vulnerability affects versions of ASUS Driver Hub prior to and including version 2.1.9.0. Exploiting this vulnerability allows an attacker to execute arbitrary code on a vulnerable system with elevated privileges, potentially granting complete control.
The core issue lies within how the ASUS Driver Hub application handles updates. The software downloads updates from ASUS's servers over an unencrypted HTTP connection, making it susceptible to a Man-in-the-Middle (MitM) attack. An attacker positioned between the user's system and ASUS's update servers could intercept and tamper with the downloaded update files.
Furthermore, the vulnerability is amplified by the fact that the update process does not involve any cryptographic signature verification. This lack of verification means that the ASUS Driver Hub software does not confirm the integrity or authenticity of the downloaded updates. Consequently, the application blindly installs the potentially malicious, attacker-modified updates.
The execution of the arbitrary code is facilitated by the ASUS Driver Hub software’s execution of downloaded updates using the SYSTEM account, the highest privilege level in Windows. This grants the malicious code maximum access and control over the affected system.
The researcher demonstrates a proof-of-concept exploit showcasing how an attacker could trigger the vulnerability by hosting a malicious server and using DNS poisoning techniques to redirect the victim's update requests. Once the manipulated update, containing the attacker’s code, is downloaded and executed by the ASUS Driver Hub, the attacker gains control of the system.
The researcher responsibly disclosed the vulnerability to ASUS on March 28, 2024. ASUS acknowledged the vulnerability and subsequently released a patched version, 2.1.10.0, addressing the issue. Users of ASUS Driver Hub are strongly urged to update to the latest version to mitigate this critical security risk. The researcher recommends complete removal of ASUS Driver Hub if its functionality isn't required.
Summary of Comments ( 234 )
https://news.ycombinator.com/item?id=43951588
Hacker News users discuss the severity and implications of the ASUS driver vulnerability. Several express concern over the preinstalled nature of the software, making it difficult for average users to avoid or mitigate the risk. Some question the technical details of the exploit, particularly around the claimed "one-click" nature and the necessity of physical access. Others discuss the ethics of responsible disclosure and the vendor's response (or lack thereof) to the reported vulnerability. A few commenters offer potential solutions, including using a different driver update utility or manually verifying driver signatures. The discussion also touches upon the broader issue of supply chain security and the challenges of ensuring the integrity of preinstalled software.
The Hacker News post "One-Click RCE in Asus's Preinstalled Driver Software" (linking to mrbruh.com/asusdriverhub/) generated a moderate discussion with several insightful comments. Many users expressed concern over the vulnerability described in the article, with some noting the troubling trend of pre-installed bloatware posing security risks.
One commenter highlighted the irony of security software itself often being a source of vulnerabilities, referencing the fact that the vulnerable Asus software was intended for driver updates, a process meant to improve security. They also pointed out the difficulty in truly isolating such software, even in a virtual machine, due to the potential for exploiting shared resources.
Another user questioned the claim of "one-click RCE," arguing that user interaction beyond a single click might be required, such as navigating to a malicious download location or executing a downloaded file. This prompted further discussion about the definition of "one-click" exploits and the different attack vectors possible, such as a malicious website automatically triggering a download when visited.
Several comments discussed the implications of the vulnerability for average users. Some users argued that the average user is unlikely to encounter this exploit in the wild, while others countered that the existence of such vulnerabilities still represents a significant risk, especially given the prevalence of Asus computers. The ease of potential exploitation, even if requiring slightly more than a single click, was still a concern.
The practicality of the proposed mitigation (disabling or removing the Asus software) was also discussed. While seen as effective, some users questioned whether the average user would be able to perform these steps, or even be aware of the vulnerability in the first place.
Finally, a few comments touched on the larger issue of software supply chain security and the challenges of ensuring the integrity of pre-installed software. The Asus vulnerability served as a case study in the potential consequences of lax security practices in the software development and distribution process.