ACTIVE-2020-001: CORSAIR iCUE Driver Local Privilege Escalation
Vulnerability Type:
Privilege Escalation
Vendors:
CORSAIR
CVE ID:
CVE-2020-8808
Affected Products:
- CORSAIR iCUE version 3.24.52 and older
Summary:
CorsairLLAccess64.sys/CorsairLLAccess32.sys driver in CORSAIR iCUE version 3.24.52 and older allows local non-privileged users (including low-integrity level processes) to read and write arbitrary physical memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges via MmMapIoSpace amongest other function calls.
Mitigation:
The vendor has released a patch in version 3.25.60 addressing this vulnerability.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://forum.corsair.com/v3/showthread.php?t=193831
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8808
- https://nvd.nist.gov/vuln/detail/CVE-2020-8808
Disclosure Timeline:
- 12-10-19: ACTIVELabs submitted a ticket to CORSAIR via support portal
- 12-12-19: CORSAIR support requested vulnerability details to forward to the appropriate team
- 12-16-19: ACTIVELabs sent vulnerability details along with proof-of-concept exploit to CORSAIR support
- 12-17-19: CORSAIR support responded that they will look into it and get back with us
- 12-31-19: ACTIVELabs requested an update
- 12-31-19: CORSAIR support responded there is no update for the time being
- 01-13-20: ACTIVELabs tested version 3.24.52 released on 01/06/2020 and informed CORSAIR support that the driver is indeed still vulnerable
- 01-14-20: CORSAIR support responded there is no update on this ticket still
- 01-17-20: CORSAIR support updated ACTIVELabs that the issue has been resolved in version 3.25.54 and asked if we would like a copy of the patch
- 01-20-20: ACTIVELabs requested to test the patch and provide timeline on when the patched version will be made public
- 01-22-20: CORSAIR support responded the ETA for the patch is 01/28/20 and shared link to download the patch
- 01-24-20: ACTIVELabs informed CORSAIR support that the patch has nullified the reported vulnerability and an advisory along with blog post will be released once the patch is made public
- 01-30-20: ACTIVELabs request an update in regard to patch ETA which was supposed to be released on 01/28/20
- 01-30-20: CORSAIR support responded that new update was requested last minute and they will share new ETA once determined
- 02-06-20: ACTIVELabs requested an update
- 02-06-20: CORSAIR support responded that new version will be released today
- 02-06-20: ACTIVELabs sent CORSAIR support draft blog post for review
- 02-06-20: CORSAIR iCUE version 3.25.60 released
- 02-07-20: ACTIVELabs publishes this advisory
- 02-07-20: ACTIVELabs request CVE from MITRE
- 02-07-20: CVE-2020-8808 assigned