CVE-2024-30804 Overview
CVE-2024-30804 is a critical arbitrary code execution vulnerability discovered in the DeviceIoControl component of ASUS Fan_Xpert software. This vulnerability affects versions prior to v.10013 and allows attackers to execute arbitrary code by sending specially crafted IOCTL (Input/Output Control) requests to the vulnerable driver.
The flaw is classified under CWE-782 (Exposed IOCTL with Insufficient Access Control), indicating that the driver exposes dangerous functionality through IOCTL interfaces without implementing proper access controls or input validation.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code with kernel-level privileges, potentially leading to complete system compromise, privilege escalation, and persistent access to affected systems.
Affected Products
- ASUS Fan_Xpert versions prior to v.10013
- Windows systems with vulnerable ASUS Fan_Xpert driver installed
- Systems running ASUS motherboard utility software with the affected component
Discovery Timeline
- 2024-04-26 - CVE-2024-30804 published to NVD
- 2025-03-14 - Last updated in NVD database
Technical Details for CVE-2024-30804
Vulnerability Analysis
This vulnerability resides in the DeviceIoControl component of ASUS Fan_Xpert, a popular hardware monitoring and fan control utility bundled with ASUS motherboards. The vulnerability stems from improper handling of IOCTL requests sent to the kernel driver, allowing unprivileged users to send malicious requests that can lead to arbitrary code execution in kernel context.
Windows device drivers communicate with user-mode applications through IOCTL interfaces. When these interfaces lack proper input validation and access control mechanisms, attackers can exploit them to gain elevated privileges or execute arbitrary code. In this case, the Fan_Xpert driver fails to adequately validate the parameters passed through specific IOCTL codes, enabling code execution.
Root Cause
The root cause of CVE-2024-30804 is the exposed IOCTL interface with insufficient access control (CWE-782). The driver does not properly validate:
- The source and privileges of the requesting process
- The size and content of input buffers passed through IOCTL requests
- Memory addresses referenced in the IOCTL parameters
This allows any local user to interact with the driver and potentially achieve kernel-mode code execution, bypassing security boundaries between user and kernel space.
Attack Vector
The attack can be executed by a local attacker with the ability to send IOCTL requests to the vulnerable driver. The exploitation process typically involves:
- Identifying the device object associated with the vulnerable driver
- Opening a handle to the device using CreateFile()
- Constructing a malicious IOCTL request with crafted parameters
- Sending the request via DeviceIoControl() to trigger the vulnerability
- Achieving arbitrary code execution in kernel context
A proof-of-concept demonstrating this vulnerability is available in the DriverHunter Win-Driver-EXP repository. Attackers leveraging this technique can achieve full system compromise through kernel-level code execution.
Detection Methods for CVE-2024-30804
Indicators of Compromise
- Unusual processes attempting to open handles to ASUS Fan_Xpert driver devices
- Suspicious DeviceIoControl calls targeting ASUS-related drivers from non-standard applications
- Kernel-mode crashes or blue screens potentially related to driver exploitation attempts
- Unexpected privilege escalation activities following driver interactions
Detection Strategies
- Monitor for processes making IOCTL calls to ASUS driver device objects that are not part of normal ASUS utility operations
- Implement endpoint detection rules that flag unusual kernel driver interactions from non-ASUS signed processes
- Use behavioral analysis to detect exploitation patterns consistent with IOCTL-based privilege escalation
- Deploy SentinelOne Singularity to detect and prevent kernel-level exploitation attempts in real-time
Monitoring Recommendations
- Enable Windows Security Event logging for driver load events (Event ID 6) and process creation (Event ID 4688)
- Monitor registry keys associated with ASUS driver services for unauthorized modifications
- Implement SentinelOne's kernel-level protection to detect malicious driver interactions
- Track suspicious process behaviors indicative of privilege escalation following driver exploitation
How to Mitigate CVE-2024-30804
Immediate Actions Required
- Update ASUS Fan_Xpert to version 10013 or later immediately
- If updates are not available, consider temporarily disabling or uninstalling the affected driver
- Implement application whitelisting to prevent unauthorized processes from interacting with system drivers
- Deploy endpoint protection solutions capable of detecting kernel-level exploitation attempts
Patch Information
ASUS has addressed this vulnerability in Fan_Xpert version 10013 and later. Users should:
- Visit the official ASUS support website for their motherboard model
- Download the latest version of the AI Suite III or Fan_Xpert utility
- Install the updated software to remediate the vulnerability
- Verify the installed version is 10013 or higher
For detailed technical information regarding this vulnerability, refer to the DriverHunter PoC Repository.
Workarounds
- Restrict access to the vulnerable driver by modifying its security descriptor to allow only trusted processes
- Use Windows Driver Verifier to monitor driver behavior and detect exploitation attempts
- Implement host-based intrusion prevention systems (HIPS) to block suspicious IOCTL patterns
- Consider using Windows Device Guard or HVCI (Hypervisor-Protected Code Integrity) to limit kernel-mode code execution
# Disable the vulnerable ASUS driver service temporarily (run as Administrator)
sc config AsusTPGpuCo stop
sc config AsusTPGpuCo disabled
# Verify driver is disabled
sc query AsusTPGpuCo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
