CVE-2020-15368 Overview
CVE-2020-15368 is a driver vulnerability in the ASRock RGB Driver (AsrDrv103.sys) that fails to properly restrict access from user space. This improper access control allows local attackers to interact with the driver in unintended ways, potentially leading to system instability or integrity compromise. The vulnerability has been demonstrated by triggering a triple fault via a request to zero CR3 (Control Register 3), which controls the page table base address in x86 processors.
Critical Impact
Local attackers with low privileges can exploit this driver vulnerability to compromise system integrity, potentially causing system crashes (triple faults) or enabling further exploitation through improper access to privileged CPU control registers.
Affected Products
- ASRock RGB Driver Firmware
- ASRock RGB Driver (AsrDrv103.sys)
Discovery Timeline
- 2020-06-29 - CVE-2020-15368 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-15368
Vulnerability Analysis
The vulnerability exists within AsrDrv103.sys, a Windows kernel driver distributed as part of the ASRock RGB lighting control software. This driver exposes functionality to user-mode applications through IOCTL (I/O Control) interfaces but fails to implement proper access restrictions or input validation on these exposed operations.
The core issue is that the driver permits user-space processes to execute privileged operations that should be restricted to kernel mode only. This includes the ability to manipulate critical CPU control registers such as CR3, which holds the physical address of the page directory used for virtual-to-physical address translation.
When an attacker sends a specially crafted IOCTL request to zero the CR3 register, the CPU loses its reference to valid page tables, immediately causing a triple fault. A triple fault occurs when the processor encounters an exception while attempting to handle a double fault, resulting in an immediate CPU reset or system crash (Blue Screen of Death).
Root Cause
The root cause is insufficient access control and input validation in the AsrDrv103.sys kernel driver. The driver exposes dangerous primitives to user-space applications without properly verifying the legitimacy of requests or restricting access to privileged operations. Hardware drivers that allow direct manipulation of CPU control registers from user mode represent a significant security boundary violation.
Attack Vector
This vulnerability requires local access to the target system. An attacker with low-privilege user access can load or communicate with the vulnerable driver if it is already installed on the system. The attack does not require user interaction and can be performed programmatically.
The exploitation flow involves:
- Opening a handle to the AsrDrv103.sys driver device
- Sending a crafted IOCTL request targeting the CR3 register manipulation functionality
- Supplying parameters that cause CR3 to be zeroed
- The kernel driver executes the operation, immediately triggering a triple fault
Technical details and proof-of-concept materials are available through the GitHub CVE-2020-15368 Repository and the CodeDetector Blog Post.
Detection Methods for CVE-2020-15368
Indicators of Compromise
- Presence of AsrDrv103.sys driver file on the system
- Driver service registration for ASRock RGB Driver in Windows Service Control Manager
- Unusual process interactions with the ASRock RGB driver device object
- System crashes or triple faults with no apparent cause
Detection Strategies
- Monitor for the loading of AsrDrv103.sys kernel driver on endpoints
- Implement driver allowlisting policies to prevent unauthorized kernel drivers from loading
- Use endpoint detection tools to identify applications opening handles to vulnerable driver devices
- Deploy Windows Defender Application Control (WDAC) or similar driver signing policies
Monitoring Recommendations
- Enable Windows Event Logging for driver load events (Event ID 7045 for new service installation)
- Monitor for unexpected IOCTL communications with RGB-related drivers
- Implement crash dump analysis workflows to identify triple faults potentially caused by this vulnerability
- Track installation of ASRock software packages across the enterprise
How to Mitigate CVE-2020-15368
Immediate Actions Required
- Identify all systems with ASRock RGB Driver software installed
- Uninstall the ASRock RGB Driver if the RGB lighting functionality is not required
- Restrict local user permissions where possible to limit attack surface
- Implement application control policies to prevent execution of exploit tools
Patch Information
Check with ASRock for updated versions of the RGB Driver software that address this vulnerability. The driver AsrDrv103.sys should be replaced with a patched version that properly restricts access to privileged operations. Consult the CodeDetector Blog Post for additional technical context.
Workarounds
- Remove or disable the AsrDrv103.sys driver if RGB lighting control is not essential for operations
- Use Windows Device Manager to disable the ASRock RGB Driver service
- Implement strict driver allowlisting using Windows Defender Application Control (WDAC)
- Apply least-privilege principles to limit which users can interact with kernel drivers
# Disable the ASRock RGB driver service
sc stop AsrDrv103
sc config AsrDrv103 start= disabled
# Optionally remove the driver file (run as Administrator)
# del C:\Windows\System32\drivers\AsrDrv103.sys
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
