Realtek has recently confirmed a serious vulnerability in its HD Audio Driver Package for Windows. Upon exploit it could allow an adversary to evade security mechanisms and gain persistence on the target system.
Realtek HD Audio Driver Vulnerability
SafeBreach Labs have discovered a serious vulnerability in the Realtek HD Audio Driver Package for Windows. As stated in their advisory, they found a DLL hijacking flaw that could result in severe security threats to target Windows systems.
According to the researchers, the vulnerability CVE-2019-19705 could allow an attacker to execute malicious code. The flaw affected the “HD Audio Background Process” (RAVBg64.exe) that executed as NT AUTHORITYSYSTEM. Upon execution, the process tried to load missing DLL files.
Once executed, the process tries to load RAVBg64ENU.dll and RAVBg64LOC.dll (which are not located in) its own directory.
At this point, an attacker with admin privileges could upload an arbitrary DLL and execute malicious code. This became possible due to the lack of signature validation and the use of outdated software.
The researchers have shared the proof-of-concept for this vulnerability in their advisory.
Realtek Rolled Out Patches
The Realtek HD Audio Driver bug could have serious consequences in case of exploitation. For instance, it could allow an adversary to bypass whitelisting and execute malicious code in a persistent way.
As confirmed in the Realtek’s advisory, the bug affected the Realtek HD Audio Driver version Legacy (non-DCH type) driver 1.0.0.8855. Hence, all PCs bearing the Realtek sound cards became vulnerable to the flaw.
Consequently, the vendors patched the flaw with the release of Realtek High Definition Audio Driver Legacy (non-DCH) driver 1.0.0.8856.
Users must ensure that their systems are running the latest version of Realtek HD Audio Driver to stay protected from potential exploitation.
Earlier, SafeBreach Labs also reported similar bugs in the numerous antivirus programs and other software such as TeamViewer.
Let us know your thoughts in the comments.