Over 40 Windows drivers are vulnerable to privilege escalation flaws

by Julie Splinters - - 2019-08-12

Drivers from 20 popular vendors are vulnerable to multiple vulnerabilities as revealed in DEF CON 27 security conference

40 drivers vulnerable During the DEF CON 27, security experts revealed that more than 40 drivers are vulnerable to privilege escalation flaws

Drivers are vital Windows system components that allow the hardware to communicate with the operating system, which allows normal computer function. Due to its operation principles, drivers, therefore, have much higher permission level when compared to that of a regular or even administrator user.

During the DEF CON 27 security conference^[1] on Saturday in Las Vegas, principal researcher Mickey Shkatov and security expert Jesse Michael revealed that more than 40 drivers from 20 different vendors are vulnerable to privilege escalation vulnerabilities, despite being certified by Microsoft.

The privilege escalation flaws are extremely dangerous as they would allow the attacker to insert the malicious code after accessing kernel and hide a backdoor or another type of malware for months or even years without the victim noticing of anything being out of the ordinary.

Because drivers are also used to upgrade the firmware, security applications will not be able to detect signs of the infection, and even the reinstallation of the operating will not help. Unfortunately, the examples of such malware have already been spotted in the wild – Slingshot APT^[2] and LoJax being highlighted by researchers previously.

Shkatov explained the reasons for such scenarios in an email to ZDNet:^[3]

The design flaw surfaces when signed drivers provide functionality which can be misused by userspace applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft.

This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it's written in a flexible way to just perform arbitrary actions on behalf of userspace. It's easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation

Malware that can access kernel is among the most dangerous

Eclypsium security researchers named^[4] more than 40 different drivers that are vulnerable and would allow the attacker to move from the Ring 3 (accessible to applications) to Ring 0 (accessible to kernel). Additionally, the flaws would also allow reaching such parts as model-specific registers (MSRs), Debug Registers (DR), Control Registers (CR) and physical memory.

However, access to the most vital OS parts is only one side of the danger:

Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware.

To install drivers for the Windows OS, a user need to be logged as an administrator. Additionally, the file must be signed by Microsoft and also certified by Certificate Authorities, otherwise, a warning is instantly provided. While drivers signed in such a way are not designed to be malicious, they possess security flaws that might be abused by hackers.

Among the affected driver vendors – Nvidia, Toshiba, Intel, Huawei and other big names

Eclypsium researchers said that among the discovered vulnerable drivers were those that interact with network adapters, graphic cards, hard drives, and other devices and could result in devastating consequences:

Persistent malware inside these devices could read, write, or redirect data stored, displayed or sent over the network. Likewise, any of the components could be disabled as part of a DoS or ransomware attack.

Since many of the drivers themselves are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes.

Among the vendors that are affected by the vulnerabilities, the following ones were listed:

ASRock
ASUSTeK Computer
ATI Technologies (AMD)
Biostar
EVGA
Getac
GIGABYTE
Huawei
Insyde
Intel
Micro-Star International (MSI)
NVIDIA
Phoenix Technologies
Realtek Semiconductor
SuperMicro
Toshiba

Upon the initial discovery, Eclypsium experts immediately contacted the vendors, and some of them already issued updates to the flaws of their drivers – Intel^[5] and Huawei^[6] being among the others.

Researchers note that organizations should pay close attention to driver updates, scan for vulnerabilities, and patch the firmware of their machines as soon as possible.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Jesse Michael, Mickey Shkatov. Get off the kernel if you can't drive. Eclypsium. Official DEF CON report.
^ Olivia Morelli. APT hackers were stealthily implanting Slingshot malware for six years. 2-spyware. Cybersecurity news and articles.
^ Catalin Cimpanu. Researchers find security flaws in 40 kernel drivers from 20 vendors. ZDNet. Technology News, Analysis, Comments and Product Reviews.
^ Screwed drivers -signed, sealed, delivered. Eclypsium. Security blog.
^ Intel® Processor Diagnostic Tool Advisory. Intel. Security center.
^ Security Advisory - Three Vulnerabilities in Huawei PCManager Product. Huawei. Security Advisories.