CVE-2019-16098

Name of the Vulnerable Software and Affected Versions MSI Afterburner versions 4.6.2.15658 and earlier

Description The issue is related to a buffer overflow in the MSI Afterburner utility, allowing an attacker to elevate privileges, execute arbitrary code with high privileges, and disclose protected information. The vulnerability can be exploited by reading and writing to arbitrary memory, I/O ports, and MSRs. It has been used by the BlackByte ransomware to disable security tools and antivirus solutions. The attackers use a technique called Bring Your Own Driver (BYOVD) to exploit the vulnerability, which involves installing a legitimate but vulnerable driver, RTCore64.sys, in the system. This allows them to read, write, or execute code in kernel memory without using shellcode or an exploit.

Recommendations For MSI Afterburner version 4.6.2.15658 and earlier, consider adding the RTCore64.sys driver to the active black list to prevent exploitation. Additionally, monitor all driver installation events and regularly check for malicious installations that do not match the hardware. As a temporary workaround, consider disabling the RTCore64.sys driver until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the vulnerable driver until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.