CVE-2019-18845
Patriot Viper RGB driver — physical memory read/write via unrestricted IOCTL
Summary
| Field | Value |
|---|---|
| Driver | Viper RGB driver |
| Vendor | Patriot Memory |
| Vulnerability Class | Arbitrary R/W / Physical Memory Mapping |
| Abused Version | 1.0 |
| Status | Withdrawn — driver removed from Patriot software suite |
| Exploited ITW | No |
BYOVD Context
- Driver signing: Authenticode-signed by Patriot Memory with valid certificate
- Vulnerable Driver Blocklist: Not included in Microsoft's recommended driver block rules
- HVCI behavior: May load on HVCI-enabled systems if not hash-blocked
- KDU integration: Not integrated
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Physical memory read via MmMapIoSpace
- Physical memory write via MmMapIoSpace
Root Cause
The Patriot Viper RGB driver is a kernel component for Patriot's Viper RGB DRAM lighting control software. To control the RGB LEDs on DRAM modules, the driver exposes IOCTLs for physical memory access — the LEDs are controlled via SPD (Serial Presence Detect) registers accessible through physical memory mapping. However, the IOCTLs impose no restriction on the physical address range, allowing mapping of any physical address, not just the SPD region.
ActiveCyber's writeup documents the vulnerability discovery and exploitation.
Exploitation
The unrestricted physical memory mapping allows:
- Open the device handle (permissive ACLs)
- Map arbitrary physical memory regions via the IOCTL
- Walk page tables to locate kernel structures
- Modify EPROCESS tokens for privilege escalation
The vulnerability demonstrates how peripheral LED control drivers can unintentionally expose full kernel access.
Detection
YARA Rule
rule CVE_2019_18845_ViperRGB {
meta:
description = "Detects Patriot Viper RGB vulnerable driver"
cve = "CVE-2019-18845"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$viper = "Viper" wide ascii nocase
$patriot = "Patriot" wide ascii
$rgb = "RGB" wide ascii
condition:
$mz at 0 and $patriot and ($viper or $rgb)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of Viper RGB driver |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Driver service creation |
Behavioral Indicators
- Loading of Patriot Viper RGB driver outside of the Viper RGB software suite
- Physical memory mapping IOCTLs targeting addresses outside the SPD register range
- Privilege escalation following driver interaction