ACTIVE-2020-003: Trident Z Lighting Control Driver Local Privilege Escalation (CVE-2020-12446)

Vulnerability Type:
Privilege Escalation
Vendors:
G.SKILL International Enterprise Co., Ltd.
CVE ID:
CVE-2020-12446
Affected Products:

• Trident Z Lighting Control v1.00.08 and older

Summary:
​ene.sys driver in Trident Z Lighting Control v1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users which leads to privilege escalation as “NT AUTHORITY\SYSTEM”.

Mitigation:
The vendor has released a patch in version 1.00.17 addressing this vulnerability.
Credit:
​This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:

• https://www.gskill.com/dl_tbl/tz_lighting_control_changelog.htm

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12446

• https://nvd.nist.gov/vuln/detail/CVE-2020-12446

Disclosure Timeline:

• 01-03-20: ACTIVELabs contacted G.SKILL via ustech@gskillusa.com requesting security contact

• 01-06-20: G.SKILL requested to send vulnerability report and provided an email address

• 01-08-20: ACTIVELabs requested PGP key

• 01-13-20: G.SKILL provided PGP key

• 01-15-20: ACTIVELabs submitted vulnerability report using provided PGP key and requested timeline for the patch

• 01-15-20: G.SKILL confirmed receiving the report

• 01-15-20: G.SKILL provided patch for testing

• 01-17-20: ACTIVELabs confirmed patch work as expected

• 01-17-20: G.SKILL informed ACTIVELabs that additional features/tests will be conducted and patch should be released by end of February

• 02-11-20: G.SKILL provided patch for testing

• 02-13-20: ACTIVELabs confirmed patch is not working properly

• 02-24-20: G.SKILL provided patch for testing

• 02-26-20: ACTIVELabs was able to bypass the patch and provided feedback for fix

• 02-27-20: G.SKILL provided patch for testing

• 03-03-20: ACTIVELabs confirmed patch is not working properly and provided recommendations for fix

• 03-03-20: G.SKILL responded they will consider the recommendations provided

• 03-17-20: ACTIVELabs requested an update

• 03-18-20: G.SKILL responded that work is slower due to COVID-19 and will provide an update once patch is done

• 04-13-20: ACTIVELabs requested an update

• 04-16-20: G.SKILL provided patch for testing

• 04-21-20: ACTIVELabs confirmed patch work as expected and requested to provide a timeline of when the patch will be made public

• 04-21-20: G.SKILL responded they should be releasing the patched version on Monday, April 27th.

• 04-27-20: Trident Z Lighting Control version 1.00.17 released

• 04-27-20: ACTIVELabs publishes this advisory

• 04-27-20: ACTIVELabs request CVE from MITRE

• 04-29-20: CVE-2020-12446 assigned