Security penetration tester Graham Sutherland just wanted to disable his graphics card (GPU) LEDs, but instead, he claims he exposed a huge security vulnerability in Gigabyte's LED management software, RGB Fusion. In a tweet thread, Graham explained how RGB Fusion has a security hole that grants non-admin accounts full access to internal motherboard components.
The problem started when Graham’s GPU wasn’t working with RGB Fusion, despite the marketing claim it was a compatible device. He needed to dig a little deeper and opted to reverse-engineer the Gigabyte software. It was here that he discovered the root of his problem, and more.
When RGB Fusion parses commands to the WS2812B LEDs, the driver exposes the platform controller hub (PCH) general input/output pins (GPIOs). According to Graham, the driver even gives read/write access to all of the SMBus ports. This process is consistent even on non-admin accounts, meaning that non-admin level users have full access to the motherboard and connected devices. The driver also exposes an interface to flash MCU firmware, thus creating a “covert storage location.”
The driver executable is in a writable location making it very easy to replace. Would-be attackers can use this exploit to place malicious code with admin abilities or kernel code access.
There are a few additional hangups, multiple users on Reddit reported CMOS getting wiped on boot because of RGB Fusion—Mr. Sutherland included.
According to Sutherland, if a nefarious actor doesn’t have access to your machine or you aren’t already infected with malicious code, the vulnerability isn’t exploitable, saying “All of these issues require an attacker to already be running malicious code on your machine, albeit only at a low privilege level (non admin). So this won't magically make you insecure against an attacker on the network or internet.” It's probably safe to assume that someone could also install the software to a computer they have physical access to, thus using it as a means of attack.
Sutherland notes that, although he does submit reports, he hasn’t submitted a bug report to Gigabyte. At least not yet. We reached out to Gigabyte for comment on the matter. The company says that it is looking into the alleged issues to see if a fix is required, but didn’t comment further.