الثغرات ›

CVE-2018-19320

حرج 🇺🇸 CISA KEV ⚡ اختراق متاح

                    نُشر: Oct 24, 2022                                          ·  المصدر: CISA_KEV                

CVSS v3

9.0

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

GIGABYTE Multiple Products Unspecified Vulnerability — The GDrv low-level driver in GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU II exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.

🤖 ملخص AI

CVE-2018-19320 is a critical vulnerability in GIGABYTE's GDrv low-level driver (used in App Center, AORUS Graphics Engine, XTREME Gaming Engine, and OC GURU II) that exposes ring0 memcpy-like functionality to local attackers. This allows complete system takeover by enabling arbitrary kernel memory read/write operations. Public exploits are available, and this driver has been actively abused in Bring Your Own Vulnerable Driver (BYOVD) attacks by threat actors including ransomware groups. The vulnerability is particularly dangerous as the signed driver can be loaded even on systems where the GIGABYTE software is not installed.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: Apr 10, 2026 15:43

🇸🇦 التأثير على المملكة العربية السعودية

This vulnerability poses significant risk to Saudi organizations across multiple sectors. Government entities (NCA-regulated), banking institutions (SAMA-regulated), and energy sector companies (including ARAMCO and its contractors) that use GIGABYTE hardware with bundled software are directly affected. The BYOVD attack vector means even organizations without GIGABYTE software installed could be targeted — threat actors can bring the vulnerable signed driver to any Windows system. Saudi SOCs should be particularly concerned as this technique has been used by advanced ransomware operators and APT groups targeting critical infrastructure in the Middle East. Telecom operators (STC, Mobily, Zain) and healthcare organizations with workstations using GIGABYTE motherboards are also at risk.

🏢 القطاعات السعودية المتأثرة

Government Banking Energy Telecom Healthcare Defense Education

⚖️ درجة المخاطر السعودية (AI)

8.5

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Inventory all systems with GIGABYTE App Center, AORUS Graphics Engine, XTREME Gaming Engine, or OC GURU II installed

2. Update all GIGABYTE software to the latest patched versions from the official GIGABYTE website

3. Remove the vulnerable GDrv driver (gdrv.sys) from all systems where it is not needed



BYOVD Mitigation:

4. Enable Windows Defender Application Control (WDAC) or deploy Microsoft's Vulnerable Driver Blocklist to prevent loading of the known-vulnerable signed driver

5. Enable Hypervisor-Protected Code Integrity (HVCI) on supported systems

6. Add the vulnerable driver hash to your endpoint protection blocklist



Detection Rules:

7. Monitor for loading of gdrv.sys driver (Sysmon Event ID 6) — hash: 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427

8. Create SIEM alerts for DeviceIoControl calls to \\.\GDrv device

9. Monitor for suspicious driver loading by non-administrative processes

10. Deploy YARA rules for known BYOVD toolkits that leverage this driver

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. جرد جميع الأنظمة المثبت عليها GIGABYTE App Center أو AORUS Graphics Engine أو XTREME Gaming Engine أو OC GURU II

2. تحديث جميع برامج GIGABYTE إلى أحدث الإصدارات المصححة من موقع GIGABYTE الرسمي

3. إزالة برنامج تشغيل GDrv الضعيف (gdrv.sys) من جميع الأنظمة التي لا تحتاجه



تخفيف هجمات BYOVD:

4. تفعيل Windows Defender Application Control (WDAC) أو نشر قائمة حظر برامج التشغيل الضعيفة من Microsoft

5. تفعيل Hypervisor-Protected Code Integrity (HVCI) على الأنظمة المدعومة

6. إضافة تجزئة برنامج التشغيل الضعيف إلى قائمة الحظر في حماية نقاط النهاية



قواعد الكشف:

7. مراقبة تحميل برنامج تشغيل gdrv.sys (Sysmon Event ID 6)

8. إنشاء تنبيهات SIEM لاستدعاءات DeviceIoControl إلى جهاز GDrv

9. مراقبة تحميل برامج التشغيل المشبوهة من قبل العمليات غير الإدارية

10. نشر قواعد YARA لأدوات BYOVD المعروفة التي تستغل هذا البرنامج

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

ECC-2:3-1 (Asset Management) ECC-2:5-1 (Vulnerability Management) ECC-2:4-2 (Secure Configuration) ECC-2:6-1 (Threat Management)

🔵 SAMA CSF

3.3.3 (Patch Management) 3.3.5 (Vulnerability Management) 3.4.1 (Endpoint Security) 3.3.4 (Secure Configuration)

🟡 ISO 27001:2022

A.8.8 (Management of technical vulnerabilities) A.8.9 (Configuration management) A.8.7 (Protection against malware) A.8.15 (Logging)

🟣 PCI DSS v4.0

6.3.3 (Patching security vulnerabilities) 5.2 (Anti-malware mechanisms) 11.5 (File integrity monitoring)

🔗 المراجع والمصادر 0

لا توجد مراجع.

📦 المنتجات المتأثرة 1 منتج

GIGABYTE:Multiple Products

📊 CVSS Score

9.0

/ 10.0 — حرج

📋 حقائق سريعة

الخطورة حرج

CVSS Score9.0

EPSS37.07%

اختراق متاح ✓ نعم

تصحيح متاح ✓ نعم

CISA KEV🇺🇸 Yes

تاريخ الإصلاح2022-11-14

تاريخ النشر 2022-10-24

المصدر cisa_kev

المشاهدات 2

🇸🇦 درجة المخاطر السعودية

8.5

/ 10.0 — مخاطر السعودية

🏷️ الوسوم

kev actively-exploited ransomware

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2018-19320

عرّفنا بنفسك

تسجيل الدخول مطلوب