Security Experts:

Intel Driver Vulnerability Can Give Attackers Deep Access to a Device

Serious vulnerability found in Intel device driver.

A vulnerability affecting a powerful and widely used driver from Intel can give malicious actors deep access to a device, firmware security company Eclypsium warns.

Eclypsium revealed in August that its researchers had identified serious vulnerabilities in more than 40 device drivers from 20 vendors, including AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba.

The flaws uncovered by the company can be exploited by a piece of malware to escalate privileges to kernel mode, allowing it to gain control over both the operating system and hardware and firmware interfaces.

Of all the vendors notified by Eclypsium until August, only Intel and Huawei released patches and advisories, and Phoenix and Insyde provided fixes to their OEM customers.

Eclypsium now says Intel this week also released patches for a vulnerability in its PMx Driver (PMxDrv). The security flaw affecting the PMx driver poses a serious risk due to the fact that the driver can read and write to physical memory, to model specific registers, control registers, IDT and GDT descriptor tables, and to debug registers. The driver can also gain I/O and PCI access.

“This level of access can provide an attacker with near-omnipotent control over a victim device,” Eclypsium warned in a blog post published on Tuesday.

The PMx driver, Eclypsium says, is “one of the most capable, feature-rich, and most common drivers we have seen to date.” The company explained that the driver is delivered by Intel with a tool provided to OEM vendors and their customers for updating a device’s BIOS, and it was also provided to customers as part of a toolset released in response to the discovery of some vulnerabilities in Intel technology.

One way to prevent attacks exploiting these types of vulnerabilities involves the use of Microsoft’s hypervisor-protected code integrity (HVCI) technology, which should protect the operating system kernel. However, the technology only works with newer processors.

Eclypsium says the best option for preventing attacks involves blocking or blacklisting problematic drivers. For example, Insyde, one of the companies whose drivers were found to be vulnerable, reached out to Microsoft and asked the tech giant to block affected versions of the driver via Windows Defender. According to Eclypsium, Insyde is the only vendor to have taken this step.

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

Related: Servers Can Be Bricked Remotely via BMC Attack

Related: BMC Firmware Vulnerabilities Affect Lenovo, Gigabyte Servers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.