Drivers and control software for RGB LED lighting products from Asus and Gigabyte are reportedly leaving their users open to attack, with security researchers discovering privilege-escalation and arbitrary code execution vulnerabilities - despite both companies having been given time to patch the flaws.
A popular choice among enthusiast system builders, RGB lighting allows for the selection of one of 16.7 million colours for case, keyboard, mouse, and these days even mousemat and headset lighting under software control. These lights can be set to a single colour, multiple colours, animated, or tied in to other software to change according to fan speed, system temperature, or even the player's health in a game. For those who like a bit of bling, then, RGB lighting is usually an obvious upgrade choice over more staid components - but it's a choice which, researchers from SecureAuth have claimed, may be leaving users open to attack.
In a pair of security bulletins first spotted by Bleeping Computer, SecureAuth's Diego Juarez details a series of vulnerabilities in Asus' Aura Sync and Gigabyte's App Center, Aorus Graphics Engine, Xtreme Engine, and OC Guru II software, the latter of which are used for overclocking and hardware monitoring as well as RGB lighting control. These vulnerabilities range from allowing malicious software to elevate its privilege level to allowing for the execution of arbitrary code - serious flaws, in other words.
According to timelines published by SecureAuth, Asus was informed of the flaw in late November 2017 and given full technical details in late January this year. An update to the Aura Sync software was issued in April, but failed to fix any of the vulnerabilities; a further update in May fixed only one of two vulnerable drivers bundled with the software. Since then, SecureAuth claims Asus has been silent, leading to the public release of the related security advisory.
Gigabyte, the second company named by SecureAuth, didn't fare much better: The company was notified in April, by May had claimed that it was 'a hardware company [and] not specialised in software' and thus couldn't be expected to understand SecureAuth's private advisory, and finally closed the issue in July claiming that 'its products are not affected by the reported vulnerabilities' - a claim SecureAuth has refuted with functional proof-of-concept attacks against the company's software.
At present, neither Gigabyte nor Asus appear to be shipping updates which fix the vulnerabilities highlighted by SecureAuth; accordingly, users are advised to uninstall the affected packages - Asus Aura Sync version 1.07.22 and earlier, Gigabyte App Center version 1.33 and earlier, Aorus Graphics Engine version 1.33 and earlier, Xtreme Engine version 1.25 and earlier, and OC Guru II version 2.08 and earlier - until such updates are made available. More information can be found in SecureAuth's Asus and Gigabyte advisories.