CVE-2022-36439

Vulnerability

A Time-of-Check Time-of-Use (TOCTOU) race condition exists in AsusSoftwareManager.exe (before 1.0.53.0), part of the ASUS System Control Interface (before 3.1.5.0) on ASUS personal computers running Windows. The component writes a temporary file into the Temp directory using low-integrity permissions, then later reopens it with SYSTEM privileges to delete a more privileged file. The vulnerable code path is reachable without special configuration beyond having the affected software installed [1].

Exploitation

A local, unprivileged attacker who can observe and predict the temporary file creation can win the race window by substituting the temporary file with a symbolic link or alternate file stream before the privileged deletion occurs. The attacker requires the ability to write to the %TEMP% directory and to monitor file system events. No authentication beyond a standard user account is needed; the race is triggered by invoking AsusSoftwareManager.exe functionality that performs the privileged file operation [1].

Impact

Successful exploitation allows the attacker to delete arbitrary files as SYSTEM, including protected operating system files or security binaries. Depending on the deleted target, this can lead to denial of service, or—if combined with file replacement or system restart—potentially to privilege escalation or persistent compromise. The attacker gains SYSTEM-level delete capability, not direct read or write of most files, but the deletion primitive is powerful enough to destabilise the system [1].

Mitigation

ASUS has released patched versions: ASUS System Control Interface 3.1.5.0, AsusSoftwareManger.exe 1.0.53.0, and AsusLiveUpdate.dll 1.0.45.0. Affected users should update via ASUS official support or the Armoury Crate interface. No workaround exists other than removing the vulnerable software. This CVE is not currently listed on the CISA KEV catalogue [1].