Sign-up

ID

VAR-202006-0751


CVE

CVE-2019-17603


TITLE

Asus Aura Sync Out-of-bounds write vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-015609

DESCRIPTION

Ene.sys in Asus Aura Sync through 1.07.71 does not properly validate input to IOCTL 0x80102044, 0x80102050, and 0x80102054, which allows local users to cause a denial of service (system crash) or gain privileges via IOCTL requests using crafted kernel addresses that trigger memory corruption. Asus Aura Sync Is vulnerable to out-of-bounds writes.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. ASUS Aura Sync is a hardware light synchronization plug-in from Taiwan ASUS Corporation. A security vulnerability exists in the Ene.sys file in ASUS Aura Sync 1.07.71 and earlier. The vulnerability stems from the program failing to properly validate input sent to IOCTL 0x80102044, 0x80102050, and 0x80102054

Trust: 1.8

sources: NVD: CVE-2019-17603 // JVNDB: JVNDB-2019-015609 // VULHUB: VHN-149866 // VULMON: CVE-2019-17603

AFFECTED PRODUCTS

vendor:asusmodel:aura syncscope:lteversion:1.07.71

Trust: 1.0

vendor:asustek computermodel:aura sync frameworkscope:eqversion:1.07.71

Trust: 0.8

sources: JVNDB: JVNDB-2019-015609 // NVD: CVE-2019-17603

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-17603
value: HIGH

Trust: 1.0

NVD: JVNDB-2019-015609
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202006-262
value: HIGH

Trust: 0.6

VULHUB: VHN-149866
value: HIGH

Trust: 0.1

VULMON: CVE-2019-17603
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-17603
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2019-015609
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-149866
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-17603
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2019-015609
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-149866 // VULMON: CVE-2019-17603 // JVNDB: JVNDB-2019-015609 // CNNVD: CNNVD-202006-262 // NVD: CVE-2019-17603

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.9

sources: VULHUB: VHN-149866 // JVNDB: JVNDB-2019-015609 // NVD: CVE-2019-17603

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202006-262

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202006-262

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-015609

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-149866

PATCH
title:Top Pageurl:https://www.asus.com/jp/
Trust: 0.8
title:exploitsurl:https://github.com/dhn/exploits 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-17603 // 
            
            
            
            JVNDB: JVNDB-2019-015609

EXTERNAL IDS
db:NVDid:CVE-2019-17603
Trust: 2.6
db:PACKETSTORMid:158221
Trust: 1.8
db:JVNDBid:JVNDB-2019-015609
Trust: 0.8
db:CNNVDid:CNNVD-202006-262
Trust: 0.6
db:CNVDid:CNVD-2020-53798
Trust: 0.1
db:VULHUBid:VHN-149866
Trust: 0.1
db:VULMONid:CVE-2019-17603
Trust: 0.1
sources:
            
            
            VULHUB: VHN-149866 // 
            
            
            
            VULMON: CVE-2019-17603 // 
            
            
            
            JVNDB: JVNDB-2019-015609 // 
            
            
            
            CNNVD: CNNVD-202006-262 // 
            
            
            
            NVD: CVE-2019-17603

REFERENCES
url:https://zer0-day.pw/2020-06/asus-aura-sync-stack-based-buffer-overflow/
Trust: 2.6
url:http://packetstormsecurity.com/files/158221/asus-aura-sync-1.07.71-privilege-escalation.html
Trust: 1.9
url:https://nvd.nist.gov/vuln/detail/cve-2019-17603
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-17603
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/787.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/dhn/exploits
Trust: 0.1
sources:
            
            
            VULHUB: VHN-149866 // 
            
            
            
            VULMON: CVE-2019-17603 // 
            
            
            
            JVNDB: JVNDB-2019-015609 // 
            
            
            
            CNNVD: CNNVD-202006-262 // 
            
            
            
            NVD: CVE-2019-17603

CREDITS
Connor McGarr, dhn
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202006-262

SOURCES
db:VULHUBid:VHN-149866
db:VULMONid:CVE-2019-17603
db:JVNDBid:JVNDB-2019-015609
db:CNNVDid:CNNVD-202006-262
db:NVDid:CVE-2019-17603

LAST UPDATE DATE
2024-11-23T23:04:19.242000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-149866date:2020-06-25T00:00:00
db:VULMONid:CVE-2019-17603date:2020-06-25T00:00:00
db:JVNDBid:JVNDB-2019-015609date:2020-06-26T00:00:00
db:CNNVDid:CNNVD-202006-262date:2020-06-30T00:00:00
db:NVDid:CVE-2019-17603date:2024-11-21T04:32:37.367

SOURCES RELEASE DATE
db:VULHUBid:VHN-149866date:2020-06-02T00:00:00
db:VULMONid:CVE-2019-17603date:2020-06-02T00:00:00
db:JVNDBid:JVNDB-2019-015609date:2020-06-26T00:00:00
db:CNNVDid:CNNVD-202006-262date:2020-06-02T00:00:00
db:NVDid:CVE-2019-17603date:2020-06-02T15:15:11.400