Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/12/2019
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Researchers Disclose New Vulnerabilities in Windows Drivers

Attackers could take advantage of simple design flaws in widely distributed drivers to gain control over Windows systems.

Eclypsium researchers today disclosed new vulnerabilities in widely distributed Windows drivers, which could be exploited to take over Windows systems, including the device's system and component firmware. These vulnerable drivers directly affect Intel devices, they report.

The findings, published today, build on previous research shared in August, when Eclypsium detailed how attackers could abuse simple design flaws in widely distributed drivers to modify the Windows kernel or device firmware. In doing so, they could access and persist in the deepest levels of a machine, gaining high privileges while avoiding traditional security tools.

"Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host," researchers wrote in their August findings.

An attacker or malware in the user space of a device (ring 3) could take advantage of a vulnerable driver to read and write data to kernel space (ring 0) and even lower-level firmware components. "You can compromise the integrity of Windows [and] can get privilege escalation from a user application into the kernel," says principal researcher Jesse Michael. "You can also use this kind of direct device access to modify firmware maliciously."

These vulnerable drivers, they note, are all valid tools that vendors release to help manage or update machines. They are properly sealed and meant to be trusted on almost any device.

Many of the drivers Eclypsium found flawed were disclosed in the August research; however, two drivers from Intel were held until a fix and advisory were ready. These were released later in August and are now public at Intel Processor Identification Utility for Windows Advisory (INTEL-SA-00281) and Intel Computing Improvement Program Advisory (INTEL-SA-00283).

The Intel PMx driver, also called PMxDrv, was also held under embargo due to complexities of the issue, researchers report today. Analysis of the driver revealed it was "incredibly capable" and contained a "superset" of capabilities previously seen in drivers. PMxDrv can read/write to physical memory, read/write to model specific registers, read/write to control registers, read/write to the interrupt descriptor table and global descriptor able, read/write to debug registers, arbitrarily gain I/O access, and arbitrarily gain PCI access, they wrote in a blog post on today's news. Michael calls it a "Swiss army knife" driver: Attackers can use it to do whatever they want.

"This level of access can provide an attacker with near-omnipotent control over a victim device," the researchers explained. The flawed driver has been included in many Intel ME and BIOS related toolsets dating back to 1999. A tool released by Intel to mitigate a recent AMT flaw contained this driver as part of the toolset; as a result, someone who downloaded and ran the tool to see whether a system was vulnerable unintentionally compromised the system, Michael adds.

Eclypsium has been working with Intel's PSIRT team on this problem; as of today, it has released updated versions of the driver to mitigate the vulnerability.

Defending Against Compromised Admins
Most drivers the researchers analyzed could be exploited by an unprivileged user to modify device firmware or attack the running kernel with unfiltered IO, PCI, or MMIO access. However, they say, some drivers had restrictions to only allow use by processes with admin privileges.

Microsoft's Windows security model for driver developers explains security boundaries in how drivers operate within Windows. This model describes the path between an admin process and a kernel driver as a "noteworthy trust boundary." However, according to Microsoft's Security Servicing Criteria for Windows, processes running in user space with admin privileges are treated the same as in the Windows kernel. There is no security boundary between the two.

Researchers found fault with this. While an admin has control over the device, there are security-related operations that even the admin can't touch. Once Secure Boot is enabled, a reboot and process to verify physical presence should be required to disable it, they explain. Many security controls can't be disabled at runtime without a system reboot.

"Allowing a compromised Administrator process to read and write kernel memory and otherwise launch attacks against the kernel renders these controls ineffective and leaves a gaping security hole," researchers say.

Other companies have taken steps to protect against compromised admins, Michael points out. Apple's System Integrity Protection was built to protect macOS components from malicious software, even running as root with full admin privileges. Admins can disable this, but not at runtime, and they must turn the system off and reboot into Recovery OS to disable protection.

Linux has Kernel Lockdown to prevent a root user from performing operations that could harm the integrity of the kernel. Most Linux distributions have been shipping versions of the protection for years, and the patch has been accepted into the mainline Linux Kernel.

As of now, there is no universally applicable way to prevent Windows from loading any of the bad drivers Eclypsium has disclosed so far. Researchers report Microsoft is addressing the problem through its HVCI technology, which will let Microsoft act as a virtual firewall to protect the kernel. Right now, admins' best option is to block or blacklist old, known-bad drivers.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.