Vulnerability: Logitech Options users should uninstall immediately (updated)

LoadsaMoney · 14 Dec 2018 at 13:30

A researcher from Google’s Project Zero discovered a critical vulnerability in the software for Logitech keyboards and mouses. As a workaround, Logitech Options users should uninstall the software. With no patch or fix in sight, the issue can be easily exploited.

The vulnerability was discovered by Google Project Zero security researcher Tavis Ormandy. He found that the Logitech Options software opens a local websockets port which takes commands without authentication reports myce.

Attackers could exploit this issue by sending simulated keystrokes from any website and thus execute pretty much anything on affected systems.

Ormandy discovered the issue when he installed the software to configure the buttons of his mouse on Windows. The 150 MB large application automatically starts when Windows starts and then also opens the vulnerable port on which a websockets service runs. Websites can communicate directly with the websockets service and because there is no authentication, it will accept any command it receives. Even worse, the software also doesn’t check where the commands originate from, which means it will accept any commands from any website.

Only one small security measure could stop a possible attack but is easily bypassed, as Ormandy explains, “the only “authentication” is that you have to provide a pid [process ID] of a process owned by your user, but you get unlimited guesses so you can brute force it in microseconds.”

Ormandy reported the issues to Logitech developers in September this year and although they assured him they understood the problem, the last release of the software still didn’t contain a proper fix. As part of Google Project Zero’s responsible disclosure policy, Logitech was given a 90-day deadline to fix the issue. That deadline now expired and the issue is therefore now publicly disclosed.

Users who have Logitech Options installed should uninstall the software immediately, it will be very easy for attackers to exploit this issue and any visited website is a security risk when the software runs on the computer.

Update: Logitech is now offering an updated version of their Options software that fixes the vulnerabiity. Please download the updated version from here.

https://www.guru3d.com/news_story/v...tions_users_should_uninstall_immediately.html

Pyr0m@nI@]{ · 14 Dec 2018 at 13:41

wow, thanks for the head's up. I only installed these the other day for a new mx master.

TheVoice · 14 Dec 2018 at 13:46

Pyr0m@nI@]{ said:
wow, thanks for the head's up. I only installed these the other day for a new mx master.

Updated version is linked, doesn't seem like the update check in the application itself is detecting it yet.

Pyr0m@nI@]{ · 14 Dec 2018 at 13:54

yeah, i'll definitely get the new version installed when i get home tonight

Cromulent · 22 Dec 2018 at 18:11

Blimey. Just saw this thread and updated to the latest version. Pretty shocking problem. You would have thought that the programmers would realise they were making a mistake.

Phil2008 · 23 Dec 2018 at 12:45

Pyr0m@nI@]{ said:
wow, thanks for the head's up. I only installed these the other day for a new mx master.

Hey, with your master do you find if you set the monitor to turn off after X amount of time in windows, does the monitor then turn back on a few secs later? Because ever since having the mx master mouse I have had this prob and I cant find a fix for it anywhere.

Pyr0m@nI@]{ · 23 Dec 2018 at 15:06

Phil2008 said:
Hey, with your master do you find if you set the monitor to turn off after X amount of time in windows, does the monitor then turn back on a few secs later? Because ever since having the mx master mouse I have had this prob and I cant find a fix for it anywhere.

Hi Phil,
I've just checked and no, the screen stays off after setting it to turn off after 1 min.

Phil2008 · 23 Dec 2018 at 17:09

Pyr0m@nI@]{ said:
Hi Phil,
I've just checked and no, the screen stays off after setting it to turn off after 1 min.

Thanks.......try 10mins, I find that the screen stays off for longer if you do it for 3 or less mins, but 10mins it turns back on within a few secs, but if yo leave it for another 10mins after the failed attempt it tries again, and the 2nd attempt it does stay off. If that makes sense.

Pyr0m@nI@]{ · 23 Dec 2018 at 19:56

Phil2008 said:
Thanks.......try 10mins, I find that the screen stays off for longer if you do it for 3 or less mins, but 10mins it turns back on within a few secs, but if yo leave it for another 10mins after the failed attempt it tries again, and the 2nd attempt it does stay off. If that makes sense.

Set it to 10 mins, twiddled my thumbs and yeah, exactly as you describe. After about 10-15 seconds the screen wakes again.

Jokester · 23 Dec 2018 at 20:06

Heh, just bought a new Logitech keyboard and mouse, will need to grab the software update.

Phil2008 · 23 Dec 2018 at 21:18

Pyr0m@nI@]{ said:
Set it to 10 mins, twiddled my thumbs and yeah, exactly as you describe. After about 10-15 seconds the screen wakes again.

If you turn the mouse off, the monitor stays off... If anyone finds a fix for this problem, please post it.

Raumarik · 23 Dec 2018 at 22:33

Phil2008 said:
Hey, with your master do you find if you set the monitor to turn off after X amount of time in windows, does the monitor then turn back on a few secs later? Because ever since having the mx master mouse I have had this prob and I cant find a fix for it anywhere.

Hadn't realised it could be my mouse causing this. I'll need to bring my spare back from work and swap them off to see if it solves it. Very annoying but it was a nice PC so I've been trying all sorts of random settings and never thought it could simply be the MX Master 2S