Realtek fixed a security vulnerability discovered in the Realtek HD Audio Driver Package that could allow potential attackers to gain persistence, plant malware, and evade detection on unpatched Windows systems.
The Realtek High Definition Audio Driver is installed on Windows computers that come with Realtek audio cards. The bug was reported to the vendor on July 10, 2019, and it received a patch on December 13, 2019.
Realtek fixed the issue in the HD Audio driver package ver.8857 or newer, while driver versions earlier than 8855 that were built using the old version of the Microsoft development tool (VS2005) are still vulnerable to attacks.
If exploited, the vulnerability tracked as CVE-2019-19705 allows attackers to load and execute malicious payloads within the context of a Realtek-Semiconductor signed process on machines running an unpatched version of the HD Audio driver.
Severe DLL hijacking flaw
The Realtek HD Audio Driver Package bug discovered by SafeBreach Labs security researcher Peleg Hadar requires potential attackers to have Administrator privileges prior to successfully exploiting the issue.
Even though this flaw's threat level is not immediately apparent seeing that it requires elevated user permissions and local access to be abused, such security issues are regularly rated with medium and high severity CVSS 3.x base scores [1, 2].
Attackers abuse DLL search-order hijacking bugs such as this as part of binary planting attacks designed to help them further compromise the device and to gain persistence.
Upon successful exploitation, it can be used "for different purposes such as execution and evasion" and "to load and execute malicious payloads in a persistent way," Hadar says.
CVE-2019-19705 - A vulnerability which I found in Realtek's Driver package for Windows, which affects a lot of PC users:https://t.co/5MpYix6t7o
— Peleg Hadar (@peleghd) February 4, 2020
Arbitrary unsigned DLL loading from the current working directory
Hadar says that CVE-2019-19705 is caused by the signed HD Audio Background (RAVBg64.exe) process attempting to load a DLL from its current working directory (CWD) instead of the DLL's actual location and its failure to validate if the DLLs is signed with a digital certificate.
He found that the HD Audio Background process that runs as NT AUTHORITY\SYSTEM tries to import the RAVBg64ENU.dll and the RAVBg64LOC.dll from its CWD, the C:\Program Files\Realtek\Audio\HDA\ directory, although they are not located there.
To exploit his finding, the researchers compiled and implanted an arbitrary DLL in the C:\Program Files\Realtek\Audio\HDA\ folder as part of a proof-of-concept demonstration, and restarted the HD Audio Background process.
This allowed him to load the arbitrary DLL and execute a code payload within the RAVBg64.exe process signed by Realtek Semiconductor and running as NT AUTHORITY\SYSTEM.
"With Realtek High Definition Audio version 8855, the local user is able to gain privileges via a crafted DLL in the same folder as the running executable file," according to Realtek's advisory.
"The root cause is that Microsoft Visual Studio 2005 MFC is used in the named driver package (version 1.0.0.8855), which automatically loads a resource DLL.
The VS2005 MFC uses a low-level function LdrLoadLibrary that also loads a code section, and thus there is a potential risk that unexpected code may be loaded."
"An attacker can implant malware which will be executed on behalf of Realtek which can lead to bypassing AVs, and allows the attacker to steal all of the victims’ information," SafeBreach Labs security researcher Peleg Hadar told BleepingComputer.
When asked what platforms are affected by the vulnerable Realtek HD Audio Driver versions Peleg said that SafeBreach Labs "checked Windows 10, but I believe other versions are vulnerable as it’s an inherited problem."
Other DLL hijacking flaws discovered by SafeBreach Labs
The Realtek HD Audio Driver Package flaw is not the first DLL preloading bug spotted and reported to a vendor by SafeBreach Labs' security researcher Peleg Hadar.
Since August 2019, he also unearthed other similar issues affecting several other software products including but not limited to Symantec Endpoint Protection, Trend Micro's Password Manager, Check Point Software's Endpoint Security Initial Client, the free version of Bitdefender Antivirus, Avira's Antivirus 2019 software, Avast Software's AVG Antivirus and Avast Antivirus, and several McAfee Antivirus software solutions.
Each of the LPE bugs he found could make it possible for hackers to exploit systems running unpatched versions of the vulnerable software to drop and execute malicious payloads in a persistent way, as well as to evade detection during later stages of an attack.
Comments
Triplehammer - 3 years ago
"Realtek fixed the issue in the HD Audio driver package ver.8857 or newer"
And is it possible to get this from RealTek, or do we have to look for (to paraphrase one non-RealTek webpage) unofficial packages of generic Realtek drivers made from parts of various OEM specific drivers intended to work on legacy systems?
The act of obtaining drivers more recent than 2017 or so seems to involve trusting third-party codec sites. How do I know which ones aren't going to be sources of the malware that I'm trying to patch against?
serghei - 3 years ago
You have to get the updated driver from your OEM. If it's not there, there's not much else you can do.
Maybe get in touch with the OEM support to bring it to their attention?
noelprg4 - 3 years ago
If you read the Realtek advisory report carefully, only "legacy" (non-DCH or non-UAD) Realtek HD Audio drivers from 8855 & older were affected. the Realtek audio drivers in UAD (universal audio driver) format were not affected & do not have the security flaw.
OEMs or PC manufacturers may not be fast enough to issue updated Realtek audio drivers so do contact them to get them to release new drivers
Some-Other-Guy - 3 years ago
Triplehammer....
"How do I know which ones aren't going to be sources of the malware that I'm trying to patch against?"
-------------------------
You don't!
Even searching for legacy drivers at what appears to be the official Realtek site has turned up drivers that triggered AV warnings
But maybe the AV was compromised?
Maybe it was a fake website?
But maybe the Internet traffic was temporarily routed through China?
But maybe Microsoft Updates has the "fixed" driver that completely hosed your system
But maybe whatever!
If you have a clean driver that works, KEEP IT!
But maybe it's not clean?
Maybe it only looks clean?
STOP!
Don't let the maybe's get ya!
If your Operating System does not protect you from thousands of software and driver vulnerabilities, then a single driver vulnerability is the least of your problems
noelprg4 - 3 years ago
for those using certain ASUS notebook PCs with legacy Realtek HDA (non-DCH) drivers, here's the 8858 HDA driver that ASUS recently released several days ago which should include the security fix:
https://dlcdnets.asus.com/pub/ASUS/nb/DriversForWin10/Audio/Audio_Realtek_Win10_64_VER6088581_Logo.zip
Note that this will not work with all ASUS laptops & motherboards and is not a "generic" HDA driver.
noelprg4 - 3 years ago
And for those using certain Lenovo ThinkCentre M900z & M910z computers with Realtek HDA (non-DCH) legacy audio drivers, Lenovo has released the 6.0.8881.1 driver on their web site from these pages in late March 2020:
https://pcsupport.lenovo.com/us/en/downloads/DS120702
https://pcsupport.lenovo.com/us/en/downloads/DS120664
these Realtek HDA 8881 driver packages do bundle the generic hdart.inf & hdxrt.inf files, unlike the Asus based 6.0.8858.1 HDA driver
noelprg4 - 3 years ago
and here's another Realtek HDA 6.0.8881.1 driver package from Lenovo for ideacentre AIO 520-22IKU/24IKU models released in early April 2020:
https://pcsupport.lenovo.com/us/en/downloads/DS506537
also includes generic hdart.inf & hdxrt.inf files that will install on virtually any machine (even ones not from Lenovo) that use onboard Realtek HD audio hardware. and read the readme file from here:
https://download.lenovo.com/consumer/desktop/u7aud8881us14cmp.txt
CHANGES IN THIS RELEASE
Versions 6.0.8881.1
[Problem fixes]
-Security updates.
noelprg4 - 3 years ago
Both Lenovo and Hewlett-Packard are recently aware of the Realtek HD audio driver security vulnerability and have published security bulletins and updated Realtek audio drivers to address the problem:
https://support.lenovo.com/us/en/product_security/LEN-30506
https://support.hp.com/us-en/document/c06622884
noelprg4 - 3 years ago
And it looks like Dell posted a security advisory regarding the Realtek HD audio driver security vulnerability close to the end of May 2020:
https://www.dell.com/support/article/sln321636/dsa-2020-131-dell-client-platform-security-update-security-advisory-for-realtek-vulnerability?lang=en