Permissions, Privileges, and Access Controls in Asus Precision TouchPad



Published: 2019-09-04 | Updated: 2019-09-06
Risk Critical
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2019-10709
CWE-ID CWE-264
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
Asus Precision TouchPad
Hardware solutions / Firmware

Vendor Asus

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU20910

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2019-10709

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the "AsusPTPFilter.sys" driver has a Pool Overflow associated with the \\.\AsusTP device. A remote attacker can cause a denial of service attack or potentially privilege escalation via a crafted "DeviceIoControl" call.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Asus Precision TouchPad : 11.0.0.25


CPE2.3 External links

http://packetstormsecurity.com/files/154259/Asus-Precision-TouchPad-11.0.0.25-Denial-Of-Service-Privilege-Escalation.html
http://blog.telspace.co.za/2019/08/tsa-2019-001-asus-precision-touchpad.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###