Critical vulnerability found in Realtek HD Audio drivers

The vulnerability testing team at technology firm Realtek confirmed the presence of a critical vulnerability in the HD Audio Driver Package driver for Windows systems. If exploited, this vulnerability could allow a threat actor to bypass security mechanisms and gain persistence in the attacked system.

The reported flaw, tracked as CVE-2019-19705, is a DLL hijacking that can be exploited to execute malicious code. The flaw resides in HD Audio Background Process (RAVBg64.exe), which runs as NT AUTHORITY\SYSTEM. After running, the process attempts to load the missing DLLs: “Once executed, the process attempts to load RAVBg64ENU.dll and RAVBg64LOC.dll (not found in) its own directory”, mentions the Realtek report.

It is at this point that a hacker with administrator privileges on the target system could load an arbitrary DLL to execute the malicious code, which is possible due to the absence of signature validation and the use of non-updated software. The Realtek security alert includes a proof-of-concept designed by their vulnerability testing team.

Exploited in the wild, the flaw in Realtek HD Audio Driver could have disastrous consequences for Windows system users, such as white list bypass and persistent execution of malicious code. Regarding the affected versions, the security alert highlights that the vulnerability is present in version of the Realtek HD Audio Driver Legacy driver (not the DCH type), so all PCs with Realtek sound cards are potentially exposed to exploiting the vulnerability.

PC manufacturers released a fix with the Realtek High Definition Audio Driver Legacy (non-DCH) v1.0.0.8856 update; potentially affected users should ensure that their systems do not run the previous version of the audio driver, mention Realtek vulnerability testing team.

According to the International Institute of Cyber Security (IICS), similar flaws were recently reported in several variants of security software (antivirus) and other tools, such as the popular TeamViewer remote access software; these flaws have been duly reported to the developers of the affected products, thus, users just need to update their implementations.