Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Vulnerabilities in Device Drivers From 20 Vendors Expose PCs to Persistent Malware

Device driver vulnerabilities allow malware to infect firmware

Device driver vulnerabilities allow malware to infect firmware

Researchers at firmware security company Eclypsium have analyzed device drivers from major vendors and identified over 40 drivers from 20 firms containing serious vulnerabilities that can be exploited to deploy persistent malware.

Device drivers provide access to the BIOS/UEFI or other system components with the purpose of allowing users to update firmware, perform diagnostics, and change settings. However, vulnerabilities in these drivers can pose a serious threat as they can allow an attacker to escalate privileges to the highest level and become highly persistent.

Privilege escalation flaws were previously found in drivers from Huawei, ASUS, ASRock, Gigabyte and others, and some sophisticated threats, such as the Slingshot campaign and some Fancy Bear attacks, exploited these types of weaknesses to deploy rootkits.

Eclypsium wanted to find out just how common device driver vulnerabilities are and its researchers analyzed software from AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro, Toshiba, and other vendors who have not been named due to their work in highly regulated environments.

According to Eclypsium, the security holes found by its employees in these drivers can be exploited to escalate privileges from user mode to kernel mode, which gives a piece of malware running on the targeted machine access not only to the operating system, but also to the device’s hardware and firmware interfaces (e.g. the BIOS).

If one of the vulnerable drivers is not already present on the targeted machine, attackers can install the driver themselves, but that requires administrator privileges to the system.

Mickey Shkatov, principal researcher at Eclypsium, told SecurityWeek that all the tested drivers have the same class of vulnerability where the “kernel driver performs arbitrary access to privileged components on behalf of userspace request to read or write things that need to be protected from userspace.” However, he noted that the specific privileged resources and access primitives are different for each driver.

“Depending on the driver, a userspace application can ask the driver to read or write kernel memory, read or write physical memory, perform arbitrary PCI/IO access to devices (which can be used to maliciously modify system and device firmware), or read or write security-critical CPU controls such as Model Specific Registers (MSRs), Control Registers (CRs), and Debug Registers (DRs),” Shkatov explained. “Some drivers provide all of these capabilities, others only provide one of them, some provide a few.”

Eclypsium pointed out that all of the drivers come from trusted vendors, the files are signed by valid Certificate Authorities, and they are certified by Microsoft.

“These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers. Implementing group policies and other features specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users. Once installed, these drivers can reside on a device for long periods of time unless specifically updated or uninstalled,” the company said in a blog post.

Each of the impacted vendors has been notified and given more than 90 days to release patches. However, Shkatov said only Intel and Huawei released patches and public advisories, and Phoenix and Insyde have provided patches to their OEM customers, which can distribute them to end users. Two other vendors have promised to release fixes, eight companies confirmed receiving the vulnerability report but did not say if and when any patches might be released, and five vendors did not respond at all.

Microsoft was also notified by Eclypsium. The tech giant pointed out that an attacker needs to gain access to the targeted device before launching such an attack. The company says this class of issues can be mitigated by using Windows Defender Application Control to block known vulnerable software and drivers, and by turning on memory integrity in Windows Security for capable devices.

Eclypsium researchers detailed their findings on Saturday at the DEFCON hacker conference in Las Vegas.

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

Related: Servers Can Be Bricked Remotely via BMC Attack

Related: BMC Firmware Vulnerabilities Affect Lenovo, Gigabyte Servers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.