Security Experts:

Vulnerabilities in Device Drivers From 20 Vendors Expose PCs to Persistent Malware

Device driver vulnerabilities allow malware to infect firmware

Researchers at firmware security company Eclypsium have analyzed device drivers from major vendors and identified over 40 drivers from 20 firms containing serious vulnerabilities that can be exploited to deploy persistent malware.

Device drivers provide access to the BIOS/UEFI or other system components with the purpose of allowing users to update firmware, perform diagnostics, and change settings. However, vulnerabilities in these drivers can pose a serious threat as they can allow an attacker to escalate privileges to the highest level and become highly persistent.

Privilege escalation flaws were previously found in drivers from Huawei, ASUS, ASRock, Gigabyte and others, and some sophisticated threats, such as the Slingshot campaign and some Fancy Bear attacks, exploited these types of weaknesses to deploy rootkits.

Eclypsium wanted to find out just how common device driver vulnerabilities are and its researchers analyzed software from AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro, Toshiba, and other vendors who have not been named due to their work in highly regulated environments.

According to Eclypsium, the security holes found by its employees in these drivers can be exploited to escalate privileges from user mode to kernel mode, which gives a piece of malware running on the targeted machine access not only to the operating system, but also to the device’s hardware and firmware interfaces (e.g. the BIOS).

If one of the vulnerable drivers is not already present on the targeted machine, attackers can install the driver themselves, but that requires administrator privileges to the system.

Mickey Shkatov, principal researcher at Eclypsium, told SecurityWeek that all the tested drivers have the same class of vulnerability where the “kernel driver performs arbitrary access to privileged components on behalf of userspace request to read or write things that need to be protected from userspace.” However, he noted that the specific privileged resources and access primitives are different for each driver.

“Depending on the driver, a userspace application can ask the driver to read or write kernel memory, read or write physical memory, perform arbitrary PCI/IO access to devices (which can be used to maliciously modify system and device firmware), or read or write security-critical CPU controls such as Model Specific Registers (MSRs), Control Registers (CRs), and Debug Registers (DRs),” Shkatov explained. “Some drivers provide all of these capabilities, others only provide one of them, some provide a few.”

Eclypsium pointed out that all of the drivers come from trusted vendors, the files are signed by valid Certificate Authorities, and they are certified by Microsoft.

“These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers. Implementing group policies and other features specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users. Once installed, these drivers can reside on a device for long periods of time unless specifically updated or uninstalled,” the company said in a blog post.

Each of the impacted vendors has been notified and given more than 90 days to release patches. However, Shkatov said only Intel and Huawei released patches and public advisories, and Phoenix and Insyde have provided patches to their OEM customers, which can distribute them to end users. Two other vendors have promised to release fixes, eight companies confirmed receiving the vulnerability report but did not say if and when any patches might be released, and five vendors did not respond at all.

Microsoft was also notified by Eclypsium. The tech giant pointed out that an attacker needs to gain access to the targeted device before launching such an attack. The company says this class of issues can be mitigated by using Windows Defender Application Control to block known vulnerable software and drivers, and by turning on memory integrity in Windows Security for capable devices.

Eclypsium researchers detailed their findings on Saturday at the DEFCON hacker conference in Las Vegas.

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

Related: Servers Can Be Bricked Remotely via BMC Attack

Related: BMC Firmware Vulnerabilities Affect Lenovo, Gigabyte Servers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.