CVE-2020-15368 Vulnerability: Full Overview

What is CVE-2020-15368 vulnerability?

CVE-2020-15368 is an Improper Access Control vulnerability in the ASRock AsrDrv103.sys driver.

The driver was designed to allow ASRock's software to communicate with hardware. However, it fails to verify who is making the request. It exposes Input/Output Control (IOCTL) codes that allow any user-mode application to read and write to Model Specific Registers (MSRs) and arbitrary physical memory.

In simple terms, it acts as an open "bridge" that allows a standard user (or malware) to execute code with the highest possible privileges (Ring 0 / Kernel), bypassing the operating system's security boundaries.

When was it discovered?

The vulnerability was publicly disclosed in June 2020 by security researchers Stephen Tong ("stong") and Yaotian Feng ("Codetector"). They identified that the driver was essentially a repackaged version of the "RWEverything" tool, but with weak encryption that was easily bypassed.

Affected products & versions

The vulnerability is present in the ASRock RGB Driver software suite. The specific vulnerable component is:

CVE-2020-15368 technical description

The core issue is that AsrDrv103.sys exposes dangerous functionality to user space without restricting access to administrators.

Attackers can send specific IOCTL requests to the driver to perform actions that should be strictly forbidden, such as:

• Arbitrary Physical Memory Read/Write: Modifying kernel structures directly in memory.

• CR3 Register Manipulation: The researchers demonstrated the flaw by overwriting the CR3 register (which controls virtual memory translation) with zeros. This forces the CPU into a "Triple Fault," causing an immediate system reboot (DoS). However, a sophisticated attacker uses this same access to hijack execution flow rather than just crash the machine.

The driver attempts to "hide" these functions using AES encryption for its IOCTL commands, but the key is hardcoded and easily extracted, offering no real security.

Tactics, techniques & procedures (TTPs)

This vulnerability is a key enabler for Persistence and Privilege Escalation.

• BYOVD (Bring Your Own Vulnerable Driver): Attackers do not need to find this driver installed on a victim's machine. Instead, they bring the valid, digitally signed AsrDrv103.sys file with them, drop it onto the victim machine, and install it as a service.

• INCONTROLLER / PIPEDREAM Toolkit: This specific driver was identified as a component of the INCONTROLLER (aka PIPEDREAM) toolkit, a state-sponsored cyberweapon designed to target Industrial Control Systems (ICS) and SCADA environments. The toolkit uses the driver to load its own unsigned malicious implants into the Windows kernel.

• Defense Evasion: By running code in the kernel via a legitimate signed driver, attackers can often bypass Endpoint Detection and Response (EDR) agents and kill security processes.

Indicators of compromise

Defenders should watch for the presence or loading of this specific driver file:

• File Name: AsrDrv103.sys appearing in C:\Windows\Temp\ or user AppData folders (common drop locations for BYOVD attacks).

• Service Creation: A new Windows service being installed that points to AsrDrv103.sys.

• Sysmon Event ID 6: "Driver Loaded" events referencing this filename or known hashes associated with ASRock's older RGB software.

Known proof-of-concepts & exploits

The original researchers released a full technical analysis and Proof-of-Concept (PoC) code on GitHub in 2020.

The PoC demonstrates how to calculate the correct AES-encrypted IOCTL payload to trigger the vulnerability. Because the driver is signed by a trusted certificate authority (Microsoft trusts ASRock's certificate), Windows allows it to load, making the exploit highly reliable on default configurations.

How to detect CVE-2020-15368 vulnerability?

• Driver Scanning: Scan endpoints for the file AsrDrv103.sys. If found, check if it is part of a legitimate, active ASRock installation or a stray file dropped by malware.

• Event Log Monitoring: Monitor for Event ID 7045 (Service Installation) where the service image path ends in .sys and resides in a temporary directory.

• Vulnerability Scanners: Tools like Tenable/Nessus can detect the presence of the vulnerable ASRock software suite.

Impact & risk of CVE-2020-15368 vulnerability

The risk is High (CVSS 7.8 in context of local escalation).

While it requires local access to exploit, it is a "golden key" for attackers who have already gained a foothold. It allows them to transition from a standard user to having total control over the OS kernel. This level of access allows them to install rootkits, hide files from antivirus, and persist across reboots.

Mitigation & remediation strategies

The primary defense against BYOVD is blocking the specific driver.

• Block the Driver: Add AsrDrv103.sys and its known hashes to your Windows Defender Application Control (WDAC) blocklist or your EDR's blocklist. Microsoft maintains a recommended driver block ruleset that covers many such drivers.

• Uninstall Software: If you are using ASRock hardware, check for updates to the RGB LED software that remove or replace this driver. If the software is not critical, uninstall it entirely.

• Enable HVCI: Enable Hypervisor-Protected Code Integrity (HVCI) (also known as Memory Integrity) in Windows Security. This feature helps prevent kernel memory modifications.