ACTIVE-2020-003: Trident Z Lighting Control Driver Local Privilege Escalation
Vulnerability Type:
Privilege Escalation
Vendors:
G.SKILL International Enterprise Co., Ltd.
CVE ID:
CVE-2020-12446
Affected Products:
- Trident Z Lighting Control v1.00.08 and older
Summary:
ene.sys driver in Trident Z Lighting Control v1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users which leads to privilege escalation as NT AUTHORITY\SYSTEM.
Mitigation:
The vendor has released a patch in version 1.00.17 addressing this vulnerability.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://www.gskill.com/dl_tbl/tz_lighting_control_changelog.htm
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12446
- https://nvd.nist.gov/vuln/detail/CVE-2020-12446
Disclosure Timeline:
- 01-03-20: ACTIVELabs contacted G.SKILL via ustech@gskillusa.com requesting security contact
- 01-06-20: G.SKILL requested to send vulnerability report and provided an email address
- 01-08-20: ACTIVELabs requested PGP key
- 01-13-20: G.SKILL provided PGP key
- 01-15-20: ACTIVELabs submitted vulnerability report using provided PGP key and requested timeline for the patch
- 01-15-20: G.SKILL confirmed receiving the report
- 01-15-20: G.SKILL provided patch for testing
- 01-17-20: ACTIVELabs confirmed patch work as expected
- 01-17-20: G.SKILL informed ACTIVELabs that additional features/tests will be conducted and patch should be released by end of February
- 02-11-20: G.SKILL provided patch for testing
- 02-13-20: ACTIVELabs confirmed patch is not working properly
- 02-24-20: G.SKILL provided patch for testing
- 02-26-20: ACTIVELabs was able to bypass the patch and provided feedback for fix
- 02-27-20: G.SKILL provided patch for testing
- 03-03-20: ACTIVELabs confirmed patch is not working properly and provided recommendations for fix
- 03-03-20: G.SKILL responded they will consider the recommendations provided
- 03-17-20: ACTIVELabs requested an update
- 03-18-20: G.SKILL responded that work is slower due to COVID-19 and will provide an update once patch is done
- 04-13-20: ACTIVELabs requested an update
- 04-16-20: G.SKILL provided patch for testing
- 04-21-20: ACTIVELabs confirmed patch work as expected and requested to provide a timeline of when the patch will be made public
- 04-21-20: G.SKILL responded they should be releasing the patched version on Monday, April 27th.
- 04-27-20: Trident Z Lighting Control version 1.00.17 released
- 04-27-20: ACTIVELabs publishes this advisory
- 04-27-20: ACTIVELabs request CVE from MITRE
- 04-29-20: CVE-2020-12446 assigned