CVE-2022-42455 – This vulnerability in ASUS EC Tool driver allow... (How to Fix)

Q: What is the severity of CVE-2022-42455?

CVE-2022-42455 has a CVSS score of 7.8 (HIGH). This vulnerability in ASUS EC Tool driver allows local users to gain elevated privileges by exploiting unprivileged IOCTL calls that provide raw read/write access to port I/O and MSRs. It affects systems running ASUS software products that include this vulnerable driver. Attackers can escalate privileges from a standard user account to SYSTEM or kernel-level access.

📋 TL;DR

This vulnerability in ASUS EC Tool driver allows local users to gain elevated privileges by exploiting unprivileged IOCTL calls that provide raw read/write access to port I/O and MSRs. It affects systems running ASUS software products that include this vulnerable driver. Attackers can escalate privileges from a standard user account to SYSTEM or kernel-level access.

💻 Affected Systems

Products:

ASUS EC Tool driver (d.sys) as included in various ASUS software products

Versions: All versions up to the fix; specific version range not detailed in references.

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with ASUS software installed; the driver is signed by ASUS and may be present on many ASUS devices.

📦 What is this software?

Armoury Crate by Asus

View all CVEs affecting Armoury Crate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with kernel-level code execution, enabling persistence, data theft, and disabling of security controls.

🟠

Likely Case

Privilege escalation from a standard user to SYSTEM, allowing installation of malware, credential dumping, and lateral movement.

🟢

If Mitigated

Limited impact if proper access controls and least privilege principles are enforced, though local exploitation remains possible.

🌐 Internet-Facing: LOW, as exploitation requires local access; remote exploitation is not feasible.

🏢 Internal Only: HIGH, as local users can exploit this to gain elevated privileges, posing significant risk in shared or multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but is straightforward due to publicly available proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references; check ASUS advisories for updated driver versions.

Vendor Advisory: https://www.asus.com/support/FAQ/1049141/

Restart Required: Yes

Instructions:

1. Visit ASUS support website for your device model. 2. Download and install the latest driver updates. 3. Restart the system to apply changes.

🔧 Temporary Workarounds

Disable or remove vulnerable driver

windows

Uninstall ASUS software containing the vulnerable driver or disable the driver via system configuration.

sc stop ASUSEC
sc delete ASUSEC

Restrict driver access via Group Policy

windows

Use Group Policy to block execution of the vulnerable driver or restrict user permissions.

🧯 If You Can't Patch

Enforce least privilege: Limit local user accounts to standard privileges to reduce attack surface.
Monitor for suspicious activity: Use endpoint detection to alert on privilege escalation attempts or driver manipulation.

🔍 How to Verify

Check if Vulnerable:

Check for the presence of d.sys driver in system directories and verify its hash matches the vulnerable version: 1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb.

Check Version:

Get-FileHash C:\Windows\System32\drivers\d.sys (PowerShell) or certutil -hashfile C:\Windows\System32\drivers\d.sys SHA256 (Command Prompt)

Verify Fix Applied:

Verify the driver version has been updated or removed; check ASUS software for patches and confirm no vulnerable hash matches.

📡 Detection & Monitoring

Log Indicators:

Event logs showing driver loading/unloading anomalies
Security logs with privilege escalation events

Network Indicators:

None, as this is a local exploit

SIEM Query:

Example: EventID=4697 OR EventID=4672 with process name containing 'd.sys' or ASUSEC

📊 Metadata

CVE ID: CVE-2022-42455

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: February 15, 2023

Last Updated: March 19, 2025

🔗 References

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0003.md Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0003.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-42455, you might also want to check these: