ACTIVE-2020-003: Trident Z Lighting Control Driver Local Privilege Escalation (CVE-2020-12446)

​Vulnerability Type:
Privilege Escalation
Vendors:
G.SKILL International Enterprise Co., Ltd.
CVE ID:
CVE-2020-12446
Affected Products:

• Trident Z Lighting Control v1.00.08 and older

Summary:
​ene.sys driver in Trident Z Lighting Control v1.00.08 exposes mapping and un-mapping of physical memory, reading and writing to Model Specific Register (MSR) registers, and input from and output to I/O ports to local non-privileged users which leads to privilege escalation as “NT AUTHORITY\SYSTEM”.

Mitigation:
The vendor has released a patch in version 1.00.17 addressing this vulnerability.
Credit:
​This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:

• https://www.gskill.com/dl_tbl/tz_lighting_control_changelog.htm
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12446
• https://nvd.nist.gov/vuln/detail/CVE-2020-12446

Disclosure Timeline:

• 01-03-20: ACTIVELabs contacted G.SKILL via ustech@gskillusa.com requesting security contact
• 01-06-20: G.SKILL requested to send vulnerability report and provided an email address
• 01-08-20: ACTIVELabs requested PGP key
• 01-13-20: G.SKILL provided PGP key
• 01-15-20: ACTIVELabs submitted vulnerability report using provided PGP key and requested timeline for the patch
• 01-15-20: G.SKILL confirmed receiving the report
• 01-15-20: G.SKILL provided patch for testing
• 01-17-20: ACTIVELabs confirmed patch work as expected
• 01-17-20: G.SKILL informed ACTIVELabs that additional features/tests will be conducted and patch should be released by end of February
• 02-11-20: G.SKILL provided patch for testing
• 02-13-20: ACTIVELabs confirmed patch is not working properly
• 02-24-20: G.SKILL provided patch for testing
• 02-26-20: ACTIVELabs was able to bypass the patch and provided feedback for fix
• 02-27-20: G.SKILL provided patch for testing
• 03-03-20: ACTIVELabs confirmed patch is not working properly and provided recommendations for fix
• 03-03-20: G.SKILL responded they will consider the recommendations provided
• 03-17-20: ACTIVELabs requested an update
• 03-18-20: G.SKILL responded that work is slower due to COVID-19 and will provide an update once patch is done
• 04-13-20: ACTIVELabs requested an update
• 04-16-20: G.SKILL provided patch for testing
• 04-21-20: ACTIVELabs confirmed patch work as expected and requested to provide a timeline of when the patch will be made public
• 04-21-20: G.SKILL responded they should be releasing the patched version on Monday, April 27th.
• 04-27-20: Trident Z Lighting Control version 1.00.17 released
• 04-27-20: ACTIVELabs publishes this advisory
• 04-27-20: ACTIVELabs request CVE from MITRE
• 04-29-20: CVE-2020-12446 assigned