Permissions, Privileges, and Access Controls in Asus Precision TouchPad
| Risk | Critical |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-10709 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Asus Precision TouchPad Hardware solutions / Firmware |
| Vendor | Asus |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU20910
Risk: Critical
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red]
CVE-ID: CVE-2019-10709
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the "AsusPTPFilter.sys" driver has a Pool Overflow associated with the \\.\AsusTP device. A remote attacker can cause a denial of service attack or potentially privilege escalation via a crafted "DeviceIoControl" call.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsAsus Precision TouchPad: 11.0.0.25
CPE2.3 External linkshttps://packetstormsecurity.com/files/154259/Asus-Precision-TouchPad-11.0.0.25-Denial-Of-Service-Privilege-Escalation.html
https://blog.telspace.co.za/2019/08/tsa-2019-001-asus-precision-touchpad.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
