Memory Corruption Vulnerability in Asus Aura Sync Software
CVE-2022-44898

7.8HIGH

Key Information:

Vendor: Asus
Status: Aura Sync
Vendor: CVE Published:; 14 December 2022

What is CVE-2022-44898?

The MsIo64.sys driver in Asus Aura Sync prior to v1.07.79 contains a vulnerability that fails to properly validate input through specific IOCTL commands. This oversight can allow attackers to exploit the system by triggering memory corruption, potentially leading to a Denial of Service (DoS) condition or escalating privileges through crafted IOCTL requests. Users are advised to update to the latest version to mitigate risks associated with this vulnerability.

References

https://heegong.github.io/posts/ASUS-AuraSync-Kernel-Stac...

https://www.asus.com/campaign/aura/us/download.php

https://www.asus.com/content/ASUS-Product-Security-Advisory/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 14, 2022
Vulnerability Reserved
Nov 7, 2022