Realtek closes a DLL Hijacking Vulnerability in HD Audio driver

[German]Vendor  Realtek has closed a DLL hijacking vulnerability in its HD audit driver package. Here is some information about this issue.


Advertising

Vulnerability in Realtek audio driver package

I came across the subject through Bleeping Computer. Peleg Hadar has found the DLL hijacking vulnerability and points out the problem in this tweet

Within this article Hadar describes the vulnerability CVE-2019-19705 found by SafeBreach Labs using his own guard DLLs and discovered that the MFC application RAVBg64.exe (owned by Realtek) reloads DLLs without considering their path. Thus a missing (system) DLL would be reloaded by Windows from the current working directory.

Specifically, the HD Audio background process running as NT AUTHORITY\SYSTEM tries to load the RAVBg64ENU.dll and the RAVBg64LOC.dll from the working directory

C:\Program Files\Realtek\Audio\HDA\


Advertising

even though the DLLs are not found there. An attacker with appropriate permissions could use this to place his own files with this name in this folder. These would be loaded by the HD Audio background process and would allow malware to be persistently anchored in the system.

Vulnerability fixed, old driver packages as problem

The vulnerability was reported to Realtek on July 10, 2019, and closed with a patch on December 13, 2019. The fix can be found in the Realtek HD Audio driver package ver.8857 or later. Driver versions prior to 8855 created with Microsoft Visual Studio 2005 (VS2005) are still vulnerable to attacks.

While writing this post, I saw this German comment from blog reader 1ST1, which points out a serious problem:

The stupid thing is, on http://www.realtek.com and realtek-downloads.com you can only find HD-Audio drivers from the year 2017 and 18, but nothing from December 2019. And they have different version numbers: 2.xx, and nixda with 88xx…

People also complain about this here https://www.tenforums.com/sound-audio/135259-latest-realtek-hd-audio-driver-version-2-a-145.html

and offer even newer drivers, the latest is 8888.1 via download links in the Mangenta cloud. But I don’t find this trustworthy…

Maybe you can find these newer versions on websites of mainboard manufacturers (ASUS, MSI, Gigabyte, …), but you’d have to kick Realtek’s butt for that.

That’s a good description of the point. Maybe this is helpful for one or the other reader.


Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

11 Responses to Realtek closes a DLL Hijacking Vulnerability in HD Audio driver

  1. EP says:

    guenni:

    only older legacy HDA (nonUAD, non-DCH) Realtek audio drivers were affected.
    the newer UAD/DCH based audio drivers were not affected

  2. J.Swift says:

    The versions are actually v6.0.88xx and reportedly still have bugs in HDA and Nahimic.

    • J.Swift says:

      Sorry for the confusion but the v6.0.88xx are the modern non-affected drivers.
      This CVE is about the lagacy drivers as stated above and the fix will be
      “Legacy (non-DCH) driver v1.0.0.8856” and is not available to the public as yet.

  3. C. says:

    Mail an support@realtek.com (gesendet über windows 10 mail via live.de (microsoft)
    umgehend blockiert von REALTEK als SPAM. So geht Kundendienst einfach ne? :DD
    to: support@realtek.com
    subject: request download link for complete driver package CODEC: ALC 1220 / windows 10 insider build 19569

    Dear Madam,Dear Sir
    Please provide me with a source for the complete Driver package for my Windows 10 64bit build 15569 which has updated security fix vs DLL injection vulnerability CVE-2019-19705
    I require a full installer package with setup including HD Audio Manager.
    ASUS Mainboard: Z370 F Gaming last driver update is in excess of 12 months on ASUS support site and does NOT contain required security fixes.
    Please respond asap!
    Regards. C.Smith

    • EP says:

      @C.Smith

      send the email to the Asus security team at security@asus.com and let them know about the Realtek HD audio driver vulnerability in your Asus Z370-F Gaming board so that ASUS will be the one to ask Realtek for updated audio drivers.

  4. Advertising

  5. EP says:

    there is a Realtek HDA legacy driver v6.0.8858.1 available from ASUS from this download link:
    https://dlcdnets.asus.com/pub/ASUS/nb/DriversForWin10/Audio/Audio_Realtek_Win10_64_VER6088581_Logo.zip

    however it may or may not work for the Asus Rog Strix Z370-F Gaming motherboard and only works for select Asus laptops & some older motherboards with no special audio features like Sonic Studio

    you need to ask ASUS to contact Realtek directly since Realtek listens more to PC manufacturers & motherboard makers than with PC end users like you & me, C. Smith
    let ASUS be the ones to beg Realtek to produce the updated security bug-fixed HDA audio drivers.

  6. EP says:

    for those using Realtek HDA legacy drivers on certain Lenovo ThinkCentre machines, version 6.0.8881.1 is available from the following support links posted March 20, 2020:
    https://pcsupport.lenovo.com/us/en/downloads/DS120702
    https://pcsupport.lenovo.com/us/en/downloads/DS120664

    unlike the ASUS based 8858 HDA driver, the 8881 HDA driver from Lenovo does include the generic hdart.inf & hdxrt.inf files which allow installation on nearly any Realtek HD audio device.

  7. EP says:

    It looks like Dell has finally published a security advisory regarding the Realtek audio driver vulnerability near the end of May 2020:

    https://www.dell.com/support/article/en-us/sln321636/dsa-2020-131-dell-client-platform-security-update-security-advisory-for-realtek-vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *