[German]Vendor Realtek has closed a DLL hijacking vulnerability in its HD audit driver package. Here is some information about this issue.
Vulnerability in Realtek audio driver package
I came across the subject through Bleeping Computer. Peleg Hadar has found the DLL hijacking vulnerability and points out the problem in this tweet
CVE-2019-19705 – A vulnerability which I found in Realtek’s Driver package for Windows, which affects a lot of PC users:https://t.co/5MpYix6t7o
— Peleg Hadar (@peleghd) February 4, 2020
Within this article Hadar describes the vulnerability CVE-2019-19705 found by SafeBreach Labs using his own guard DLLs and discovered that the MFC application RAVBg64.exe (owned by Realtek) reloads DLLs without considering their path. Thus a missing (system) DLL would be reloaded by Windows from the current working directory.
Specifically, the HD Audio background process running as NT AUTHORITY\SYSTEM tries to load the RAVBg64ENU.dll and the RAVBg64LOC.dll from the working directory
even though the DLLs are not found there. An attacker with appropriate permissions could use this to place his own files with this name in this folder. These would be loaded by the HD Audio background process and would allow malware to be persistently anchored in the system.
Vulnerability fixed, old driver packages as problem
The vulnerability was reported to Realtek on July 10, 2019, and closed with a patch on December 13, 2019. The fix can be found in the Realtek HD Audio driver package ver.8857 or later. Driver versions prior to 8855 created with Microsoft Visual Studio 2005 (VS2005) are still vulnerable to attacks.
While writing this post, I saw this German comment from blog reader 1ST1, which points out a serious problem:
The stupid thing is, on http://www.realtek.com and realtek-downloads.com you can only find HD-Audio drivers from the year 2017 and 18, but nothing from December 2019. And they have different version numbers: 2.xx, and nixda with 88xx…
People also complain about this here https://www.tenforums.com/sound-audio/135259-latest-realtek-hd-audio-driver-version-2-a-145.html
and offer even newer drivers, the latest is 8888.1 via download links in the Mangenta cloud. But I don’t find this trustworthy…
Maybe you can find these newer versions on websites of mainboard manufacturers (ASUS, MSI, Gigabyte, …), but you’d have to kick Realtek’s butt for that.
That’s a good description of the point. Maybe this is helpful for one or the other reader.