The vulnerability testing team at technology firm Realtek confirmed the presence of a critical vulnerability in the HD Audio Driver Package driver for Windows systems. If exploited, this vulnerability could allow a threat actor to bypass security mechanisms and gain persistence in the attacked system.
The reported flaw, tracked as CVE-2019-19705,
is a DLL
hijacking that can be exploited to execute malicious code. The flaw
resides in HD Audio Background Process (RAVBg64.exe), which runs as NT
AUTHORITYSYSTEM. After running, the process attempts to load the missing DLLs:
“Once executed, the process attempts to load RAVBg64ENU.dll and
RAVBg64LOC.dll (not found in) its own directory”, mentions the Realtek
It is at this point that a hacker with
administrator privileges on the target system could load an arbitrary DLL to
execute the malicious code, which is possible due to the absence of signature
validation and the use of non-updated software. The Realtek security alert
includes a proof-of-concept designed by their vulnerability testing team.
Exploited in the wild, the flaw in Realtek HD
Audio Driver could have disastrous consequences for Windows system users, such
as white list bypass and persistent execution of malicious code. Regarding the
affected versions, the security alert highlights that the vulnerability is
present in version 184.108.40.20655 of the Realtek HD Audio Driver Legacy driver (not
the DCH type), so all PCs with Realtek sound cards are potentially exposed to
exploiting the vulnerability.
PC manufacturers released a fix with the
Realtek High Definition Audio Driver Legacy (non-DCH) v220.127.116.1156 update; potentially
affected users should ensure that their systems do not run the previous version
of the audio driver, mention Realtek vulnerability testing team.
According to the International Institute of
Cyber Security (IICS), similar flaws were recently reported in several variants
of security software (antivirus) and other tools, such as the popular
TeamViewer remote access software; these flaws have been duly reported to the
developers of the affected products, thus, users just need to update their