Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/12/2019
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Researchers Disclose New Vulnerabilities in Windows Drivers

Attackers could take advantage of simple design flaws in widely distributed drivers to gain control over Windows systems.

Eclypsium researchers today disclosed new vulnerabilities in widely distributed Windows drivers, which could be exploited to take over Windows systems, including the device's system and component firmware. These vulnerable drivers directly affect Intel devices, they report.

The findings, published today, build on previous research shared in August, when Eclypsium detailed how attackers could abuse simple design flaws in widely distributed drivers to modify the Windows kernel or device firmware. In doing so, they could access and persist in the deepest levels of a machine, gaining high privileges while avoiding traditional security tools.

"Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host," researchers wrote in their August findings.

An attacker or malware in the user space of a device (ring 3) could take advantage of a vulnerable driver to read and write data to kernel space (ring 0) and even lower-level firmware components. "You can compromise the integrity of Windows [and] can get privilege escalation from a user application into the kernel," says principal researcher Jesse Michael. "You can also use this kind of direct device access to modify firmware maliciously."

These vulnerable drivers, they note, are all valid tools that vendors release to help manage or update machines. They are properly sealed and meant to be trusted on almost any device.

Many of the drivers Eclypsium found flawed were disclosed in the August research; however, two drivers from Intel were held until a fix and advisory were ready. These were released later in August and are now public at Intel Processor Identification Utility for Windows Advisory (INTEL-SA-00281) and Intel Computing Improvement Program Advisory (INTEL-SA-00283).

The Intel PMx driver, also called PMxDrv, was also held under embargo due to complexities of the issue, researchers report today. Analysis of the driver revealed it was "incredibly capable" and contained a "superset" of capabilities previously seen in drivers. PMxDrv can read/write to physical memory, read/write to model specific registers, read/write to control registers, read/write to the interrupt descriptor table and global descriptor able, read/write to debug registers, arbitrarily gain I/O access, and arbitrarily gain PCI access, they wrote in a blog post on today's news. Michael calls it a "Swiss army knife" driver: Attackers can use it to do whatever they want.

"This level of access can provide an attacker with near-omnipotent control over a victim device," the researchers explained. The flawed driver has been included in many Intel ME and BIOS related toolsets dating back to 1999. A tool released by Intel to mitigate a recent AMT flaw contained this driver as part of the toolset; as a result, someone who downloaded and ran the tool to see whether a system was vulnerable unintentionally compromised the system, Michael adds.

Eclypsium has been working with Intel's PSIRT team on this problem; as of today, it has released updated versions of the driver to mitigate the vulnerability.

Defending Against Compromised Admins
Most drivers the researchers analyzed could be exploited by an unprivileged user to modify device firmware or attack the running kernel with unfiltered IO, PCI, or MMIO access. However, they say, some drivers had restrictions to only allow use by processes with admin privileges.

Microsoft's Windows security model for driver developers explains security boundaries in how drivers operate within Windows. This model describes the path between an admin process and a kernel driver as a "noteworthy trust boundary." However, according to Microsoft's Security Servicing Criteria for Windows, processes running in user space with admin privileges are treated the same as in the Windows kernel. There is no security boundary between the two.

Researchers found fault with this. While an admin has control over the device, there are security-related operations that even the admin can't touch. Once Secure Boot is enabled, a reboot and process to verify physical presence should be required to disable it, they explain. Many security controls can't be disabled at runtime without a system reboot.

"Allowing a compromised Administrator process to read and write kernel memory and otherwise launch attacks against the kernel renders these controls ineffective and leaves a gaping security hole," researchers say.

Other companies have taken steps to protect against compromised admins, Michael points out. Apple's System Integrity Protection was built to protect macOS components from malicious software, even running as root with full admin privileges. Admins can disable this, but not at runtime, and they must turn the system off and reboot into Recovery OS to disable protection.

Linux has Kernel Lockdown to prevent a root user from performing operations that could harm the integrity of the kernel. Most Linux distributions have been shipping versions of the protection for years, and the patch has been accepted into the mainline Linux Kernel.

As of now, there is no universally applicable way to prevent Windows from loading any of the bad drivers Eclypsium has disclosed so far. Researchers report Microsoft is addressing the problem through its HVCI technology, which will let Microsoft act as a virtual firewall to protect the kernel. Right now, admins' best option is to block or blacklist old, known-bad drivers.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: ...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 1...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.