[German]Vendor Realtek has closed a DLL hijacking vulnerability in its HD audit driver package. Here is some information about this issue.
Advertising
Vulnerability in Realtek audio driver package
I came across the subject through Bleeping Computer. Peleg Hadar has found the DLL hijacking vulnerability and points out the problem in this tweet
CVE-2019-19705 – A vulnerability which I found in Realtek's Driver package for Windows, which affects a lot of PC users:https://t.co/5MpYix6t7o
— Peleg Hadar (@peleghd) February 4, 2020
Within this article Hadar describes the vulnerability CVE-2019-19705 found by SafeBreach Labs using his own guard DLLs and discovered that the MFC application RAVBg64.exe (owned by Realtek) reloads DLLs without considering their path. Thus a missing (system) DLL would be reloaded by Windows from the current working directory.
Specifically, the HD Audio background process running as NT AUTHORITY\SYSTEM tries to load the RAVBg64ENU.dll and the RAVBg64LOC.dll from the working directory
C:\Program Files\Realtek\Audio\HDA\
Advertising
even though the DLLs are not found there. An attacker with appropriate permissions could use this to place his own files with this name in this folder. These would be loaded by the HD Audio background process and would allow malware to be persistently anchored in the system.
Vulnerability fixed, old driver packages as problem
The vulnerability was reported to Realtek on July 10, 2019, and closed with a patch on December 13, 2019. The fix can be found in the Realtek HD Audio driver package ver.8857 or later. Driver versions prior to 8855 created with Microsoft Visual Studio 2005 (VS2005) are still vulnerable to attacks.
While writing this post, I saw this German comment from blog reader 1ST1, which points out a serious problem:
The stupid thing is, on http://www.realtek.com and realtek-downloads.com you can only find HD-Audio drivers from the year 2017 and 18, but nothing from December 2019. And they have different version numbers: 2.xx, and nixda with 88xx…
People also complain about this here https://www.tenforums.com/sound-audio/135259-latest-realtek-hd-audio-driver-version-2-a-145.html
and offer even newer drivers, the latest is 8888.1 via download links in the Mangenta cloud. But I don't find this trustworthy…
Maybe you can find these newer versions on websites of mainboard manufacturers (ASUS, MSI, Gigabyte, …), but you'd have to kick Realtek's butt for that.
That's a good description of the point. Maybe this is helpful for one or the other reader.
Advertising
guenni:
only older legacy HDA (nonUAD, non-DCH) Realtek audio drivers were affected.
the newer UAD/DCH based audio drivers were not affected
The versions are actually v6.0.88xx and reportedly still have bugs in HDA and Nahimic.
Sorry for the confusion but the v6.0.88xx are the modern non-affected drivers.
This CVE is about the lagacy drivers as stated above and the fix will be
"Legacy (non-DCH) driver v1.0.0.8856" and is not available to the public as yet.
It's ultimately up to Realtek to notify all PC manufacturers & motherboard makers about the security flaw in their older legacy HDA drivers and to provide them with updated drivers, which will take some time as the manufacturers will also have to test the new drivers on their systems as well.
As one of the comments from bleepingcomputer.com:
https://www.bleepingcomputer.com/news/security/realtek-fixes-dll-hijacking-flaw-in-hd-audio-driver-for-windows/
you need to contact the manufacturer of your computer and check if an updated Realtek HDA driver has been posted (usually not available right away)
Mail an support@realtek.com (gesendet über windows 10 mail via live.de (microsoft)
umgehend blockiert von REALTEK als SPAM. So geht Kundendienst einfach ne? :DD
to: support@realtek.com
subject: request download link for complete driver package CODEC: ALC 1220 / windows 10 insider build 19569
Dear Madam,Dear Sir
Please provide me with a source for the complete Driver package for my Windows 10 64bit build 15569 which has updated security fix vs DLL injection vulnerability CVE-2019-19705
I require a full installer package with setup including HD Audio Manager.
ASUS Mainboard: Z370 F Gaming last driver update is in excess of 12 months on ASUS support site and does NOT contain required security fixes.
Please respond asap!
Regards. C.Smith
@C.Smith
send the email to the Asus security team at security@asus.com and let them know about the Realtek HD audio driver vulnerability in your Asus Z370-F Gaming board so that ASUS will be the one to ask Realtek for updated audio drivers.
there is a Realtek HDA legacy driver v6.0.8858.1 available from ASUS from this download link:
https://dlcdnets.asus.com/pub/ASUS/nb/DriversForWin10/Audio/Audio_Realtek_Win10_64_VER6088581_Logo.zip
however it may or may not work for the Asus Rog Strix Z370-F Gaming motherboard and only works for select Asus laptops & some older motherboards with no special audio features like Sonic Studio
you need to ask ASUS to contact Realtek directly since Realtek listens more to PC manufacturers & motherboard makers than with PC end users like you & me, C. Smith
let ASUS be the ones to beg Realtek to produce the updated security bug-fixed HDA audio drivers.
for those using Realtek HDA legacy drivers on certain Lenovo ThinkCentre machines, version 6.0.8881.1 is available from the following support links posted March 20, 2020:
https://pcsupport.lenovo.com/us/en/downloads/DS120702
https://pcsupport.lenovo.com/us/en/downloads/DS120664
unlike the ASUS based 8858 HDA driver, the 8881 HDA driver from Lenovo does include the generic hdart.inf & hdxrt.inf files which allow installation on nearly any Realtek HD audio device.
Lenovo has also posted this standard/legacy Realtek HDA driver 6.0.8924.1 in late April 2020 that works for many ideacentre & thinkcentre models:
https://pcsupport.lenovo.com/us/en/downloads/DS504050
this too also includes generic hdart.inf & hdxrt.inf files.
I almost forgot, Lenovo also has version 6.0.8899.1 of the Realtek HDA driver available from this page:
https://pcsupport.lenovo.com/us/en/downloads/DS500391
this one also includes the generic hdart.inf & hdxrt.inf files that will allow installation on any Realtek HD audio device whether it's on a Lenovo computer or any other name brand PC.
It looks like Dell has finally published a security advisory regarding the Realtek audio driver vulnerability near the end of May 2020:
https://www.dell.com/support/article/en-us/sln321636/dsa-2020-131-dell-client-platform-security-update-security-advisory-for-realtek-vulnerability