Researchers Disclose New Vulnerabilities in Windows Drivers

  /     /     /  
Publicated : 23/11/2024   Category : security


Researchers Disclose New Vulnerabilities in Windows Drivers


Attackers could take advantage of simple design flaws in widely distributed drivers to gain control over Windows systems.



Eclypsium researchers today disclosed new vulnerabilities in widely distributed Windows drivers, which could be exploited to take over Windows systems, including the devices system and component firmware. These vulnerable drivers directly affect Intel devices, they report.
The findings, published today, build on previous research shared in August, when Eclypsium detailed how attackers could abuse simple design flaws in widely distributed drivers to modify the Windows kernel or device firmware. In doing so, they could access and persist in the deepest levels of a machine, gaining high privileges while avoiding traditional security tools.
Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host,
researchers wrote
in their August findings.
An attacker or malware in the user space of a device (ring 3) could take advantage of a vulnerable driver to read and write data to kernel space (ring 0) and even lower-level firmware components. You can compromise the integrity of Windows [and] can get privilege escalation from a user application into the kernel, says principal researcher Jesse Michael. You can also use this kind of direct device access to modify firmware maliciously.
These vulnerable drivers, they note, are all valid tools that vendors release to help manage or update machines. They are properly sealed and meant to be trusted on almost any device.
Many of the drivers Eclypsium found flawed were disclosed in the August research; however, two drivers from Intel were held until a fix and advisory were ready. These were released later in August and are now public at Intel Processor Identification Utility for Windows Advisory (
INTEL-SA-00281
) and Intel Computing Improvement Program Advisory (
INTEL-SA-00283
).
The Intel PMx driver, also called PMxDrv, was also held under embargo due to complexities of the issue, researchers report today. Analysis of the driver revealed it was incredibly capable and contained a superset of capabilities previously seen in drivers. PMxDrv can read/write to physical memory, read/write to model specific registers, read/write to control registers, read/write to the interrupt descriptor table and global descriptor able, read/write to debug registers, arbitrarily gain I/O access, and arbitrarily gain PCI access, they wrote in a
blog post
on todays news. Michael calls it a Swiss army knife driver: Attackers can use it to do whatever they want.
This level of access can provide an attacker with near-omnipotent control over a victim device, the researchers explained. The flawed driver has been included in many Intel ME and BIOS related toolsets dating back to 1999. A tool released by Intel to mitigate a recent AMT flaw contained this driver as part of the toolset; as a result, someone who downloaded and ran the tool to see whether a system was vulnerable unintentionally compromised the system, Michael adds.
Eclypsium has been working with Intels PSIRT team on this problem; as of today, it has released updated versions of the driver to mitigate the vulnerability.
Defending Against Compromised Admins
Most drivers the researchers analyzed could be exploited by an unprivileged user to modify device firmware or attack the running kernel with unfiltered IO, PCI, or MMIO access. However, they say, some drivers had restrictions to only allow use by processes with admin privileges.
Microsofts Windows
security model for driver developers
explains security boundaries in how drivers operate within Windows. This model describes the path between an admin process and a kernel driver as a noteworthy trust boundary. However, according to Microsofts
Security Servicing Criteria for Windows
, processes running in user space with admin privileges are treated the same as in the Windows kernel. There is no security boundary between the two.
Researchers found fault with this. While an admin has control over the device, there are security-related operations that even the admin cant touch. Once Secure Boot is enabled, a reboot and process to verify physical presence should be required to disable it, they explain. Many security controls cant be disabled at runtime without a system reboot.
Allowing a compromised Administrator process to read and write kernel memory and otherwise launch attacks against the kernel renders these controls ineffective and leaves a gaping security hole, researchers say.
Other companies have taken steps to protect against compromised admins, Michael points out. Apples System Integrity Protection was built to protect macOS components from malicious software, even running as root with full admin privileges. Admins can disable this, but not at runtime, and they must turn the system off and reboot into Recovery OS to disable protection.
Linux has Kernel Lockdown to prevent a root user from performing operations that could harm the integrity of the kernel. Most Linux distributions have been shipping versions of the protection for years, and the patch has been accepted into the mainline Linux Kernel.
As of now, there is no universally applicable way to prevent Windows from loading any of the bad drivers Eclypsium has disclosed so far. Researchers report Microsoft is addressing the problem through its HVCI technology, which will let Microsoft act as a virtual firewall to protect the kernel. Right now, admins best option is to block or blacklist old, known-bad drivers.
Related Content:
6 Small-Business Password Managers
Why Cyber-Risk Is a C-Suite Issue
Account Fraud Harder to Detect as Criminals Move from Bots to Sweat Shops
Ring Flaw Underscores Impact of IoT Vulnerabilities
Check out 
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Account Fraud Harder to Detect as Criminals Move from Bots to Sweat Shops
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Disclose New Vulnerabilities in Windows Drivers