Researchers analyzing the safety of legitimate device drivers have found that more than 40 of at least 20 hardware suppliers can be abused to increase privilege.
Hardware is the building blocks of a computer that contains software. The drivers allow the operating system to identify and interact with hardware components.
The driver code enables communication between the OS kernel and the hardware and enables a higher level of permission than the user and system administrator.
Therefore, driver vulnerabilities are a serious problem, as a malicious actor can use them to access the kernel and obtain the highest operating system (OS) privileges.
Since drivers are used for upgrading hardware firmware too, they can reach even deeper components that are free of OS limitations and change their functioning or bricking.
For example, BIOS and UEFI firmware are low-level software, which starts before the operating system when the computer is activated. Malware that is plantted in this component can not be removed by reinstalling the OS and is invisible to most security solutions.
Drivers are trusted
Researchers in the Eclypsium firm of firmware and hardware found more than 40 drivers that could be abused to increase user privileges to kernel permissions.
Every major BIOS vendor and major names in the computer hardware business such as ASUS, Toshiba, Intel, Gigabyte, Nvidia, and Huawei are included in the list (list below).
“All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.” – Eclypsium
An attacker can move from the kernel to firmware and hardware interfaces that can compromise the target host over and above the detection capacity of normal OS-level threat protection products.
Installing Windows drivers requires the privileges of administrator and must be Microsoft certified trusted parties. In order to demonstrate authenticity, the code is also signed by valid certificate authorities. In the absence of a signature, Windows gives the user a warning.
Eclypsium research, however, refers to legitimate drivers with valid Windows-approved signatures. These drivers are not designed for malicious purposes but contain vulnerabilities that malicious programs and actors can abuse.
The researchers say some drivers interacting with graphic cards, network adapters, hard drives and other devices have been found among the vulnerable drivers.
In those components, malware “can read, write or redirect data saved, displayed or sent via the network.” In addition, components can be disabled, causing a system Denial-of-Service condition.
Vulnerable drivers ‘ attacks are not theoretical. They have been identified by well-financed hackers in cyber-espionage operations.
In the Slingshot APT group old vulnerable drivers have been used to increase the privileges on infected computers. The APT28 lojax rootkit (such as Sednit, Fancy Bear, Strontium Sofacy) was more insidious when it was lodged with a signed driver in the UEFI firmware.
All modern Windows versions are affected by this problem and there is no wider mechanism to prevent vulnerable drivers from being loaded.
A scenario of attack is not confined to systems with a vulnerable driver already installed. Threat actors can add them for privileges and persistence purposes in particular.
To mitigate this risk, regular scans of outdated system and parts firmware are included and the latest driver fixes are used from device manufacturers to solve vulnerabilities.
Below is a partial list of vendors affected as some are still subject to embargo.
American Megatrends International (AMI)
ATI Technologies (AMD)
Micro-Star International (MSI)