Researchers analyzing the security of legitimate device drivers found that more than 40 drivers from at least 20 hardware vendors contain vulnerabilities that can be abused to achieve privilege escalation.

Hardware represents the building blocks of a computer on top of which software resides. Drivers are what allows the operating system to identify the hardware components and interact with them.

Driver code enables communication between the OS kernel and the hardware, enjoying a higher permission level than the normal user and the administrator of the system.

Therefore, vulnerabilities in drivers are a serious issue as they can be exploited by a malicious actor to gain access to the kernel and get the highest privileges on the operating system (OS).

Since drivers are also used to update hardware firmware, they can reach components operating at an even deeper level that is off-limits for the OS, and change the way they function, or brick them.

BIOS and UEFI firmware, for instance, are low-level software that starts before the operating system, when you turn on the computer. Malware planted in this component is invisible to most security solutions and cannot be removed by reinstalling the OS.

Drivers are trusted

Researchers at firmware and hardware security firm Eclypsium discovered more than 40 drivers that could be abused for to elevate privileges from user space to the kernel permissions.

The vendors affected (list is here) include every major BIOS vendor and big names in the computer hardware business like ASUS, Toshiba, Intel, Gigabyte, Nvidia, or Huawei.

“All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.” – Eclypsium

From the kernel, an attacker can move to firmware and hardware interfaces, allowing them to compromise the target host beyond detection capabilities of normal threat protection products, which operate at OS level.

Installing drivers on Windows requires administrator privileges and need to be from trusted parties certified by Microsoft. The code is also signed by valid Certificate Authorities, to prove authenticity. In lack of a signature, Windows issues a warning to the user.

However, Eclypsium’s research refers to legitimate drivers with valid signatures accepted by Windows. These drivers are not designed to be malicious but contain vulnerabilities that can be abused by malicious programs and actors.

To make matters worse, these drivers affect all modern versions of Windows, including Windows 10.

“These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers.”

The researchers say that among the vulnerable drivers they found some that interact with graphics cards, network adapters, hard drives, and other devices.

Risk is not hypothetical

Malware planted in these components “could read, write, or redirect data stored, displayed or sent over the network.” Furthermore, the components could be disabled, triggering a denial-of-service condition on the system.

Attacks leveraging vulnerable drivers are not theoretical. They’ve been identified in cyber-espionage operations attributed to well-financed hackers.

The Slingshot APT group used older vulnerable drivers to elevate privileges on infected computers. The Lojax rootkit from APT28 (a.k.a. Sednit, Fancy Bear, Strontium Sofacy) was more insidious as it lodged in the UEFI firmware via signed driver.

All modern versions of Windows are impacted by this problem and no mechanism exists at a wider scale to prevent the vulnerable drivers from loading.

An attack scenario is not limited to systems that already have a vulnerable driver installed. Threat actors can add them specifically for privilege escalation and persistence purposes.

Solutions to mitigate this threat include regular scanning for outdated system and component firmware, and applying the latest driver fixes from device manufactures in order to resolve any vulnerabilities.

Below is a partial list of affected vendors as some of the others are still under embargo.

American Megatrends International (AMI)
ASUSTeK Computer
ATI Technologies (AMD)
Micro-Star International (MSI)
Phoenix Technologies
Realtek Semiconductor

Source link

Leave a comment

Your email address will not be published. Required fields are marked *