Aida64 Engineer Buffer Overflow (CVE-2019-25360)

Overview

A critical security flaw has been identified in AIDA64 Engineer version 6.10.5200, a popular system diagnostics and benchmarking tool. This vulnerability allows an attacker to take complete control of an affected system by exploiting a weakness in the software’s logging feature.

Vulnerability Explained

In simple terms, the vulnerability exists in the feature that saves system reports as CSV (Comma-Separated Values) files. The software does not properly check the size of data being written into a fixed-size memory buffer during this logging process. By creating a specially crafted, malicious CSV file, an attacker can overflow this buffer. This overflow corrupts the program’s memory and can be used to overwrite the system’s built-in error-handling mechanisms. Once these are overwritten, the attacker can redirect the program to execute their own malicious code.

Potential Impact

The impact of this vulnerability is severe. If successfully exploited, an attacker can achieve Remote Code Execution (RCE). This means they can run any code they choose on the victim’s computer with the same privileges as the user running AIDA64. Consequences include:

• Full system compromise and data theft.
• Installation of malware, ransomware, or backdoors.
• Use of the compromised machine as a foothold to attack other systems on the network. Given the software’s common use for hardware diagnostics, it may be run with administrative privileges, which would grant the attacker the highest level of system access.

Remediation and Mitigation

Immediate Action Required: Due to the critical nature (CVSS: 9.8) and ease of exploitation, prompt action is necessary.

1. Update the Software: This is the primary and most effective solution. Upgrade AIDA64 Engineer to the latest version available from the official vendor (FinalWire). The vendor has released a patched version that addresses this buffer overflow. Verify you are running a version newer than 6.10.5200.

2. Restrict File Sources: Do not open CSV or other data files from untrusted or unknown sources with AIDA64. The exploit requires the victim to open a maliciously crafted file.

3. Principle of Least Privilege: Avoid running AIDA64 with administrative rights unless absolutely necessary for its core function. This can limit the potential damage of a successful exploit.

4. Network Segmentation: On corporate networks, consider restricting the use of diagnostic software like AIDA64 to segmented networks, especially if it is not a business-critical application for all users.

IT administrators should prioritize updating this software on any workstation where it is installed, particularly those used by technical staff or engineers who are more likely to use such diagnostic tools.