Software packages for LED RGB strips may be opening security vulnerabilities in certain PC setups.
Security firm SecureAuth, which specialises in “access management, identity governance, and penetration testing,” found seven vulnerabilities in five different software packages from PC manufacturers Asus and Gigabyte.
Asus’s Aura Sync v1.07.22 RBG controller was found to be at risk after the firm found vulnerabilities in the company’s GLCKIo and Asusgio drivers. SecureAuth’s report (via BleepingComputer) shows that intruders could possibly run code with elevated privileges through these exposures.
SecureAuth additionally informed Gigabyte of issues in its GPCIDrv and GDrv drivers, exposing Gigabyte App Centre, Aorus Graphics Engine, Extreme Gaming Engine, and OC Guru II to malicious attacks. The report claims a local attacker could potentially take complete control of an afflicted computer.
But both Asus and Gigabyte have been reluctant to admit to the flaws. Asus responded to say all vulnerabilities were fixed, but a later note confirms that only one vulnerability had been patched.
Gigabyte meanwhile denied that any vulnerabilities existed in the first place.
“Gigabyte responded that, according to its PM and engineers, its products are not affected by the reported vulnerabilities,” said a SecureAuth report timeline.
Both companies have failed to fix the reported flaws within the disclosure period - an agreed upon time where companies have time to fix a flaw before reporting its existence. That may put users of the afflicted software at increased risk now the vulnerabilities have been made public.