Researchers analyzing the security of legitimate device drivers found that more than 40 drivers from at least 20 hardware vendors contain vulnerabilities that can be abused to achieve privilege escalation.
Hardware represents the building blocks of a computer on top of which software resides. Drivers are what allows the operating system to identify the hardware components and interact with them.
Driver code enables communication between the OS kernel and the hardware, enjoying a higher permission level than the normal user and the administrator of the system.
Therefore, vulnerabilities in drivers are a serious issue as they can be exploited by a malicious actor to gain access to the kernel and get the highest privileges on the operating system (OS).
Since drivers are also used to update hardware firmware, they can reach components operating at an even deeper level that is off-limits for the OS, and change the way they function, or brick them.
BIOS and UEFI firmware, for instance, are low-level software that starts before the operating system, when you turn on the computer. Malware planted in this component is invisible to most security solutions and cannot be removed by reinstalling the OS.
Drivers are trusted
Researchers at firmware and hardware security firm Eclypsium discovered more than 40 drivers that could be abused for to elevate privileges from user space to the kernel permissions.
The vendors affected (list is here) include every major BIOS vendor and big names in the computer hardware business like ASUS, Toshiba, Intel, Gigabyte, Nvidia, or Huawei.
"All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory." - Eclypsium
From the kernel, an attacker can move to firmware and hardware interfaces, allowing them to compromise the target host beyond detection capabilities of normal threat protection products, which operate at OS level.
Installing drivers on Windows requires administrator privileges and need to be from trusted parties certified by Microsoft. The code is also signed by valid Certificate Authorities, to prove authenticity. In lack of a signature, Windows issues a warning to the user.
However, Eclypsium's research refers to legitimate drivers with valid signatures accepted by Windows. These drivers are not designed to be malicious but contain vulnerabilities that can be abused by malicious programs and actors.
To make matters worse, these drivers affect all modern versions of Windows, including Windows 10.
"These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers."
The researchers say that among the vulnerable drivers they found some that interact with graphics cards, network adapters, hard drives, and other devices.
Risk is not hypothetical
Malware planted in these components "could read, write, or redirect data stored, displayed or sent over the network." Furthermore, the components could be disabled, triggering a denial-of-service condition on the system.
Attacks leveraging vulnerable drivers are not theoretical. They've been identified in cyber-espionage operations attributed to well-financed hackers.
The Slingshot APT group used older vulnerable drivers to elevate privileges on infected computers. The Lojax rootkit from APT28 (a.k.a. Sednit, Fancy Bear, Strontium Sofacy) was more insidious as it lodged in the UEFI firmware via signed driver.
All modern versions of Windows are impacted by this problem and no mechanism exists at a wider scale to prevent the vulnerable drivers from loading.
An attack scenario is not limited to systems that already have a vulnerable driver installed. Threat actors can add them specifically for privilege escalation and persistence purposes.
Solutions to mitigate this threat include regular scanning for outdated system and component firmware, and applying the latest driver fixes from device manufactures in order to resolve any vulnerabilities.
Below is a partial list of affected vendors as some of the others are still under embargo.
American Megatrends International (AMI)
ASRock
ASUSTeK Computer
ATI Technologies (AMD)
Biostar
EVGA
Getac
GIGABYTE
Huawei
Insyde
Intel
Micro-Star International (MSI)
NVIDIA
Phoenix Technologies
Realtek Semiconductor
SuperMicro
Toshiba
The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Download Now
Comments
Dave Overtoo - 6 years ago
Fear mongering? Device drivers tend to require physical access to the computer. If the bad actor has physical access then isn't it true that no amount of security features can keep him/her out?
redalertfiend - 6 years ago
That's not fear mongering. Definitely a valid attack vector. I've hated for years that vendors don't update their bios or firmware after a few years. They just sell their products support them for a couple years with updates and forget about them. Even though many of those products have an effective life quite longer than updates are released. IT's sad and hopefully some bad PR might help change the way they do things.
GeoffG68 - 6 years ago
As a practical matter, I don't see how this will ever be avoided. PCs being commodity objects made of commodity parts, there are a huge number of vendors out there making devices that require hardware drivers. At any given time in the development process there will undoubtedly be bugs in that driver software that will provide an attack vector. "Trust me, I'm a software developer," said nobody, ever, at least not convincingly! (28 years in the field myself.)
With the huge number of combinations of hardware and software, the PC platform (including laptop and tablet variants) will always be susceptible to this sort of thing. The only way you might possibly avoid it is by taking the Apple approach and not allowing clones of your devices; theoretically with that sort of control over the hardware you might stand perhaps a small chance of ensuring that these sorts of defects don't find their way into production code. But operating systems represent millions of man-years of development effort, and in truth are far too large to ever really be bug free and secure. As Mr. Overtoo mentioned a couple of days back, once somebody has their hands on the box, all bets are off.
Anyway, I don't think this quite rises to the level of fear mongering, but it certainly doesn't really surprise anyone in the industry. Software is inherently a human product, even when written by other software -- and therefore it's going to have failure points that can be exploited by bad actors. The best defense is to use what tools you have available to keep your information secure within a reasonable amount of effort: using drive encryption, using secure passwords on the device, keeping information that should never be allowed to go public off of systems that are connected to the Internet, using password managers like BitWarden, LastPass, etc., and practicing good computing hygiene: deleting old files and emails when they are no longer needed, not using public WiFi without a VPN, keeping your device physically secure, etc. It's the best you can do, and will be likely forever the case.
xorg7 - 6 years ago
Previous poster please take a look at the following threatpost link.
https://threatpost.com/driver-disaster-over-40-signed-drivers-cant-pass-security-muster/147199/
GeoffG68 your solution seem to describe more of the same and see how that has worked out. Take a look a the following links.
FOSDEM 19 Open Source Firmware at Facebook
"If you don't own your firmware, your firmware owns you"
https://archive.fosdem.org/2019/schedule/event/open_source_firmware_at_facebook/
Open Source Firmware Conference September 2019
https://osfc.io/
Mission Change the way of firmware development, collaborate with others and share knowledge.
Closed source firmware development has been the de-facto standard for the electronics industry since its inception. That didn't change even when open-source took off in other areas. Now, with changing use cases and strict security requirements, it's more important than ever to take open-source firmware development to the next level.
Coreboot Fast, secure and flexible OpenSource firmware
The biggest deployment are Google's Chrome OS devices.
https://coreboot.org/
If the companies mentioned in the article would instead of dropping firmware support instead just open source it.