A vulnerability affecting a powerful and widely used Intel driver can provide malicious players with extensive access to a device, Eclypsium firmware security company warns.
In August, Eclypsium revealed that more than 40 device drivers from 20 suppliers, such as AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba had identified severe vulnerabilities.
The company’s weaknesses can be abused with malware to increase the permissions of kernel mode so that both operating system and hardware and firmware interfaces can be controlled.
Only Intel and Huawei have issued updates and advisories from all vendors informed by Eclypsium until August, and Phoenix and Insyde have provided their OEM Customers with improvements.
Eclypsium now confirms that Intel has released updates this week on its PMx Driver (PMxDrv) for a bug. The PMx driver’s security flaw poses a severe risk as a driver can read and write to physical memory, model specific registers, IDT and GDT descriptor tables and debug registers. The driver can also use I / O and PCI.
“This level of access can give an attacker almost omnipotent control of a victim system,” warned Eclypsium in a Tuesday blog post.
The PMx driver, says Eclypsium, “is one of the most versatile, feature-rich and the most popular drivers we’ve ever seen.” The company has clarified that Intel provides the driver with a device-upgrade tool for OEM vendors and customers and has also supplied customers in a toolkit for finding vulnerabilities at Intel technology.
The use of HVCI software (hypervisor-protected code integrity) from Microsoft is one way to prevent attacks that exploit these vulnerabilities and should secure the kernel of the operating system. The technology works only with newer processors, however.
Eclypsium says that blocking or blacklisting of problem drivers is the best way to prevent attacks. For instance, Insyde, one of the companies whose drivers were found vulnerable, reached Microsoft and requested that the technological giant block affected driver versions through Windows Defender. Insyde is the only vendor that has taken this measure, according to Eclypsium.
