Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2020-003: Trident Z Lighting Control Driver Local Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

G.SKILL International Enterprise Co., Ltd.

CVE ID:

CVE-2020-12446

Affected Products:

  • Trident Z Lighting Control v1.00.08 and older

Summary:

ene.sys driver in Trident Z Lighting Control v1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users which leads to privilege escalation as NT AUTHORITY\SYSTEM.

Mitigation:

The vendor has released a patch in version 1.00.17 addressing this vulnerability.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 01-03-20: ACTIVELabs contacted G.SKILL via ustech@gskillusa.com requesting security contact
  • 01-06-20: G.SKILL requested to send vulnerability report and provided an email address
  • 01-08-20: ACTIVELabs requested PGP key
  • 01-13-20: G.SKILL provided PGP key
  • 01-15-20: ACTIVELabs submitted vulnerability report using provided PGP key and requested timeline for the patch
  • 01-15-20: G.SKILL confirmed receiving the report
  • 01-15-20: G.SKILL provided patch for testing
  • 01-17-20: ACTIVELabs confirmed patch work as expected
  • 01-17-20: G.SKILL informed ACTIVELabs that additional features/tests will be conducted and patch should be released by end of February
  • 02-11-20: G.SKILL provided patch for testing
  • 02-13-20: ACTIVELabs confirmed patch is not working properly
  • 02-24-20: G.SKILL provided patch for testing
  • 02-26-20: ACTIVELabs was able to bypass the patch and provided feedback for fix
  • 02-27-20: G.SKILL provided patch for testing
  • 03-03-20: ACTIVELabs confirmed patch is not working properly and provided recommendations for fix
  • 03-03-20: G.SKILL responded they will consider the recommendations provided
  • 03-17-20: ACTIVELabs requested an update
  • 03-18-20: G.SKILL responded that work is slower due to COVID-19 and will provide an update once patch is done
  • 04-13-20: ACTIVELabs requested an update
  • 04-16-20: G.SKILL provided patch for testing
  • 04-21-20: ACTIVELabs confirmed patch work as expected and requested to provide a timeline of when the patch will be made public
  • 04-21-20: G.SKILL responded they should be releasing the patched version on Monday, April 27th.
  • 04-27-20: Trident Z Lighting Control version 1.00.17 released
  • 04-27-20: ACTIVELabs publishes this advisory
  • 04-27-20: ACTIVELabs request CVE from MITRE
  • 04-29-20: CVE-2020-12446 assigned