Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

checkLoop 1checkLoop 2checkLoop 3
11/12/2019
03:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Researchers Disclose New Vulnerabilities in Windows Drivers

Attackers could take advantage of simple design flaws in widely distributed drivers to gain control over Windows systems.

Eclypsium researchers today disclosed new vulnerabilities in widely distributed Windows drivers, which could be exploited to take over Windows systems, including the device's system and component firmware. These vulnerable drivers directly affect Intel devices, they report.

The findings, published today, build on previous research shared in August, when Eclypsium detailed how attackers could abuse simple design flaws in widely distributed drivers to modify the Windows kernel or device firmware. In doing so, they could access and persist in the deepest levels of a machine, gaining high privileges while avoiding traditional security tools.

"Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host," researchers wrote in their August findings.

An attacker or malware in the user space of a device (ring 3) could take advantage of a vulnerable driver to read and write data to kernel space (ring 0) and even lower-level firmware components. "You can compromise the integrity of Windows [and] can get privilege escalation from a user application into the kernel," says principal researcher Jesse Michael. "You can also use this kind of direct device access to modify firmware maliciously."

These vulnerable drivers, they note, are all valid tools that vendors release to help manage or update machines. They are properly sealed and meant to be trusted on almost any device.

Many of the drivers Eclypsium found flawed were disclosed in the August research; however, two drivers from Intel were held until a fix and advisory were ready. These were released later in August and are now public at Intel Processor Identification Utility for Windows Advisory (INTEL-SA-00281) and Intel Computing Improvement Program Advisory (INTEL-SA-00283).

The Intel PMx driver, also called PMxDrv, was also held under embargo due to complexities of the issue, researchers report today. Analysis of the driver revealed it was "incredibly capable" and contained a "superset" of capabilities previously seen in drivers. PMxDrv can read/write to physical memory, read/write to model specific registers, read/write to control registers, read/write to the interrupt descriptor table and global descriptor able, read/write to debug registers, arbitrarily gain I/O access, and arbitrarily gain PCI access, they wrote in a blog post on today's news. Michael calls it a "Swiss army knife" driver: Attackers can use it to do whatever they want.

"This level of access can provide an attacker with near-omnipotent control over a victim device," the researchers explained. The flawed driver has been included in many Intel ME and BIOS related toolsets dating back to 1999. A tool released by Intel to mitigate a recent AMT flaw contained this driver as part of the toolset; as a result, someone who downloaded and ran the tool to see whether a system was vulnerable unintentionally compromised the system, Michael adds.

Eclypsium has been working with Intel's PSIRT team on this problem; as of today, it has released updated versions of the driver to mitigate the vulnerability.

Defending Against Compromised Admins
Most drivers the researchers analyzed could be exploited by an unprivileged user to modify device firmware or attack the running kernel with unfiltered IO, PCI, or MMIO access. However, they say, some drivers had restrictions to only allow use by processes with admin privileges.

Microsoft's Windows security model for driver developers explains security boundaries in how drivers operate within Windows. This model describes the path between an admin process and a kernel driver as a "noteworthy trust boundary." However, according to Microsoft's Security Servicing Criteria for Windows, processes running in user space with admin privileges are treated the same as in the Windows kernel. There is no security boundary between the two.

Researchers found fault with this. While an admin has control over the device, there are security-related operations that even the admin can't touch. Once Secure Boot is enabled, a reboot and process to verify physical presence should be required to disable it, they explain. Many security controls can't be disabled at runtime without a system reboot.

"Allowing a compromised Administrator process to read and write kernel memory and otherwise launch attacks against the kernel renders these controls ineffective and leaves a gaping security hole," researchers say.

Other companies have taken steps to protect against compromised admins, Michael points out. Apple's System Integrity Protection was built to protect macOS components from malicious software, even running as root with full admin privileges. Admins can disable this, but not at runtime, and they must turn the system off and reboot into Recovery OS to disable protection.

Linux has Kernel Lockdown to prevent a root user from performing operations that could harm the integrity of the kernel. Most Linux distributions have been shipping versions of the protection for years, and the patch has been accepted into the mainline Linux Kernel.

As of now, there is no universally applicable way to prevent Windows from loading any of the bad drivers Eclypsium has disclosed so far. Researchers report Microsoft is addressing the problem through its HVCI technology, which will let Microsoft act as a virtual firewall to protect the kernel. Right now, admins' best option is to block or blacklist old, known-bad drivers.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19777
PUBLISHED: 2019-12-13
stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read in stbi__load_main.
CVE-2019-19778
PUBLISHED: 2019-12-13
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer over-read in the function load_sixel at loader.c.
CVE-2019-16777
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of pa...
CVE-2019-16775
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publi...
CVE-2019-16776
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain...
checkLoop 4