Windows 10 News and info | Forum
January 18, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Over 40 Windows Hardware Drivers Vulnerable To Privilege Escalation  (Read 60 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 30924

I Do Windows

WWW Email
« on: August 11, 2019, 07:23:01 PM »

Researchers analyzing the security of legitimate device drivers found that more than 40 from at least 20 hardware vendors can be abused to achieve privilege escalation.

Hardware represents the building blocks of a computer on top of which software resides. Drivers are what allows the operating system to identify the hardware components and interact with them.

Driver code enables communication between the OS kernel and the hardware, enjoying a higher permission level than the normal user and the administrator of the system.

Therefore, vulnerabilities in drivers are a serious issue as they can be exploited by a malicious actor to gain access to the kernel and get the highest privileges on the operating system (OS).

Since drivers are also used to update hardware firmware, they can reach components operating at an even deeper level that is off-limits for the OS, and change the way they function or brick them.

BIOS and UEFI firmware, for instance, are low-level software that starts before the operating system, when you turn on the computer. Malware planted in this component is invisible to most security solutions and cannot be removed by reinstalling the OS.

Drivers are trusted

Researchers at the firmware and hardware security firm Eclypsium discovered more than 40 drivers that could be abused for to elevate privileges from user space to the kernel permissions.

The vendors affected include every major BIOS vendor and big names in the computer hardware business like ASUS, Toshiba, Intel, Gigabyte, Nvidia, or Huawei.

"All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory." - Eclypsium

From the kernel, an attacker can move to firmware and hardware interfaces, allowing them to compromise the target host beyond detection capabilities of normal threat protection products, which operate at OS level.

Installing drivers on Windows requires administrator privileges and need to be from trusted parties certified by Microsoft. The code is also signed by valid Certificate Authorities, to prove authenticity. In lack of a signature, Windows issues a warning to the user.

However, Eclypsium's research refers to legitimate drivers with valid signatures accepted by Windows. These drivers are not designed to be malicious but contain vulnerabilities that can be abused by malicious programs and actors.

The researchers say that among the vulnerable drivers they found some that interact with graphics cards, network adapters, hard drives, and other devices.

Risk is not hypothetical

Malware planted in these components "could read, write, or redirect data stored, displayed or sent over the network." Furthermore, the components could be disabled, triggering a denial-of-service condition on the system.

Attacks leveraging vulnerable drivers are not theoretical. They've been identified in cyber-espionage operations attributed to well-financed hackers.

The Slingshot APT group used older vulnerable drivers to elevate privileges on infected computers. The Lojax rootkit from APT28 (a.k.a. Sednit, Fancy Bear, Strontium Sofacy) was more insidious as it lodged in the UEFI firmware via signed driver.

All modern versions of Windows are impacted by this problem and no mechanism exists at a wider scale to prevent the vulnerable drivers from loading.

An attack scenario is not limited to systems that already have a vulnerable driver installed. Threat actors can add them specifically for privilege escalation and persistence purposes.

Solutions to mitigate this threat include regular scanning for an outdated system and component firmware, and applying the latest driver fixes from device manufacturers in order to resolve any vulnerabilities.

Below is a partial list of affected vendors as some of the others are still under embargo.

American Megatrends International (AMI)
ASUSTeK Computer
ATI Technologies (AMD)
Micro-Star International (MSI)
Phoenix Technologies
Realtek Semiconductor


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page August 13, 2019, 06:21:43 AM