Full Report
Cisco Talos uncovered and analyzed two critical vulnerabilities in ASUS' AsIO3.sys driver, highlighting serious security risks and the importance of robust driver design.
Analysis Summary
# Vulnerability: Multiple Flaws in ASUS Armory Crate AsIO3.sys Driver Leading to SYSTEM Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-1533, CVE-2025-3464
- CVSS Score: Not explicitly assigned a CVSS score in the provided text, but severity is implied as **Critical** due to SYSTEM privilege escalation.
- CWE: CWE-121 (Stack-based Buffer Overflow - for CVE-2025-1533); CWE-284 (Improper Access Control - for CVE-2025-3464)
## Affected Systems
- Products: ASUS Armory Crate and AI Suite applications (which utilize the driver).
- Versions: Not explicitly listed, but the vulnerability resides in the `AsIO3.sys` driver shipped with these applications.
- Configurations: Affects systems where the affected driver is installed and running.
## Vulnerability Description
Two critical vulnerabilities were discovered in the `AsIO3.sys` driver, both in the `IRP_MJ_CREATE` handler:
1. **CVE-2025-1533 (Stack-based Buffer Overflow):** Occurs during the conversion of the process's ImagePath from "Win32 Path" to "NT Namespace Path" within the `ImageHashCheck` function.
2. **CVE-2025-3464 (Authorization Bypass):** The standard authorization mechanism, which relies on checking the SHA256 hash of the calling process executable (expected to be `AsusCertService.exe`), was bypassed. Attackers could gain unauthorized access to the driver's functionality.
The bypass allowed an attacker to achieve full read access to kernel memory structures by leveraging memory read primitives developed from the exposed driver functionality, culminating in a full **Local Privilege Escalation (LPE) to NT SYSTEM**.
## Exploitation
- Status: **Exploited in the wild** (A working exploit leading to SYSTEM privilege escalation was developed and demonstrated).
- Complexity: **Low** (Implied, as the exploit achieved SYSTEM immediately after bypassing authorization within the driver).
- Attack Vector: **Local** (The attacker must already have low-privileged user access on the target system).
### Impact
- Confidentiality: **High** (Access to kernel memory allows reading of sensitive data, including arbitrary kernel structures/tokens).
- Integrity: **High** (Full control over the operating system via SYSTEM privileges).
- Availability: **High** (Kernel-level manipulation can lead to system instability or crash).
## Remediation
### Patches
- Specific patch versions were not detailed in the article snippet. Users are directed to consult ASUS advisories. (Implied: Patches address the authorization check and buffer handling).
### Workarounds
- Since the exploitation relies on accessing the device `\\.\Asusgio3`, potential workarounds involve:
1. Restricting access to the kernel device object (though this typically requires elevated permissions or driver manipulation itself).
2. Disabling or removing the affected ASUS software/driver if system functionality allows.
*Note: The article suggests using an "allowed list" approach for driver access control over the current "disallowed list" approach.*
## Detection
- **Indicators of Compromise (IoCs):**
- Anomalous process creation or modifications originating from a process running as `NT AUTHORITY\SYSTEM` where the parent process was a low-privileged user context.
- Evidence of unauthorized reading of kernel memory structures, specifically manipulation of `EPROCESS` structures or security tokens.
- **Detection Methods and Tools:**
- Monitoring driver load (`AsIO3.sys`).
- Monitoring attempts to open handles to the device `\\.\Asusgio3` from non-whitelisted user processes.
- Endpoint Detection and Response (EDR) systems monitoring kernel API calls related to token swapping (e.g., `SeSetSystemProcessToken`, memory region accesses).
## References
- Vendor advisories: Consult ASUS security advisories concerning Armory Crate and AI Suite vulnerabilities (TALOS-2025-2144 and TALOS-2025-2150).
- Relevant links - defanged:
- `talosintelligence.com/vulnerability_reports/TALOS-2025-2144`
- `talosintelligence.com/vulnerability_reports/TALOS-2025-2150`