Researchers from cybersecurity firm Eclypsium revealed that 40+ different drivers from 20 Microsoft-certified hardware vendors contained poor code, which could be exploited to mount an escalation of privilege attack.
At this year’s DEF CON conference in Las Vegas, Eclypsium released a list of affected major BIOS vendors and hardware manufacturers, including ASUS, Huawei, Intel, NVIDIA and Toshiba.
The drivers affect all versions of Windows, which means that millions are at risk. Drivers could potentially allow malicious applications to gain kernel privileges at the user level, thereby gaining direct access to firmware and hardware.
The malware can be installed directly into the firmware, so reinstalling the operating system isn’t even a solution.
All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. This is a privilege escalation as it can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0). The concept of protection rings is summarized in the image below, where each inward ring is granted progressively more privilege. It is important to note that even Administrators operate at Ring 3 (and no deeper), alongside other users. Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware.
If a vulnerable driver is already present on the system, a malicious application just needs to search for it to elevate privilege. If the driver isn’t present, a malicious application could bring the driver with it, but require administrator approval to install them.
The driver is providing not only the necessary privileges, but also the mechanism to make changes.
In a statement to ZDNet, Mickey Shkatov, Principal Researcher at Eclypsium mentioned:
Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to them.
This feature is only available on 7th generation and later Intel processors; so older CPUs, or newer ones where HCVI is disabled, require the drivers to be manually uninstalled.
Microsoft also added:
In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer.
An attacker who has compromised the system in Ring 3 privilege level, could then gain kernel access.
Microsoft has issued this advice:
(Utilise) Windows Defender Application Control to block unknown vulnerable software and drivers.
Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security
Here’s the full list of all vendors who have already updated their drivers:
- ASUSTeK Computer
- ATI Technologies (AMD)
- Micro-Star International (MSI)
- Phoenix Technologies
- Realtek Semiconductor