Drivers from 20 popular vendors are vulnerable to multiple vulnerabilities as revealed in DEF CON 27 security conference
Drivers are vital Windows system components that allow the hardware to communicate with the operating system, which allows normal computer function. Due to its operation principles, drivers, therefore, have much higher permission level when compared to that of a regular or even administrator user.
During the DEF CON 27 security conference on Saturday in Las Vegas, principal researcher Mickey Shkatov and security expert Jesse Michael revealed that more than 40 drivers from 20 different vendors are vulnerable to privilege escalation vulnerabilities, despite being certified by Microsoft.
The privilege escalation flaws are extremely dangerous as they would allow the attacker to insert the malicious code after accessing kernel and hide a backdoor or another type of malware for months or even years without the victim noticing of anything being out of the ordinary.
Because drivers are also used to upgrade the firmware, security applications will not be able to detect signs of the infection, and even the reinstallation of the operating will not help. Unfortunately, the examples of such malware have already been spotted in the wild – Slingshot APT and LoJax being highlighted by researchers previously.
Shkatov explained the reasons for such scenarios in an email to ZDNet:
The design flaw surfaces when signed drivers provide functionality which can be misused by userspace applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft.
This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it's written in a flexible way to just perform arbitrary actions on behalf of userspace. It's easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation
Malware that can access kernel is among the most dangerous
Eclypsium security researchers named more than 40 different drivers that are vulnerable and would allow the attacker to move from the Ring 3 (accessible to applications) to Ring 0 (accessible to kernel). Additionally, the flaws would also allow reaching such parts as model-specific registers (MSRs), Debug Registers (DR), Control Registers (CR) and physical memory.
However, access to the most vital OS parts is only one side of the danger:
Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware.
To install drivers for the Windows OS, a user need to be logged as an administrator. Additionally, the file must be signed by Microsoft and also certified by Certificate Authorities, otherwise, a warning is instantly provided. While drivers signed in such a way are not designed to be malicious, they possess security flaws that might be abused by hackers.
Among the affected driver vendors – Nvidia, Toshiba, Intel, Huawei and other big names
Eclypsium researchers said that among the discovered vulnerable drivers were those that interact with network adapters, graphic cards, hard drives, and other devices and could result in devastating consequences:
Persistent malware inside these devices could read, write, or redirect data stored, displayed or sent over the network. Likewise, any of the components could be disabled as part of a DoS or ransomware attack.
Since many of the drivers themselves are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes.
Among the vendors that are affected by the vulnerabilities, the following ones were listed:
- ASUSTeK Computer
- ATI Technologies (AMD)
- Micro-Star International (MSI)
- Phoenix Technologies
- Realtek Semiconductor
Researchers note that organizations should pay close attention to driver updates, scan for vulnerabilities, and patch the firmware of their machines as soon as possible.