Here we can see, “windows drivers vulnerability”
Mother of All Drivers – New Vulnerabilities Found in Windows Drivers
Windows Kernel Security Mode Enables Attacks
As a part of our previous research, released in August 2019, Eclypsium researchers detailed how attackers often abuse simple design flaws in cosmopolitan drivers to realize control over Windows-based systems, including the underlying system and component firmware device. We originally named 17 vendors suffering from these vulnerable drivers. Now, as a part of our ongoing analysis, we’ve discovered additional vulnerable drivers that are a number of the foremost feature-rich we’ve seen so far and which directly affect Intel-based devices. We detail the newest findings on these drivers during this update and share ongoing industry responses to our previous disclosures.
A Quick Recap of Screwed Drivers Vulnerabilities
The difficulty’s guts are drivers that allow users to switch the Windows kernel or device firmware. Abuse of such capability can enable an attacker to realize incredible privileges over a machine while also avoiding traditional security controls. More specifically, an attacker or malware in the user space of a tool (ring 3) can use a vulnerable driver to read and write data to kernel space (ring 0) and even lower-level firmware components, which may sometimes be mentioned negative rings. This low-level control provides a perfect position to steal data, damage the system, and persist on the system outside the view of security controls running at the OS level.
Notably, these drivers are good tools released by vendors to assist manage or update devices and are intrinsically properly signed and trusted on almost any machine. Worse still, there’s no universal mechanism to stop a Microsoft OS from loading one among these bad drivers.
Intel PMx Driver
In our previous research, we identified a spread of drivers, each with its capabilities and potential impacts on a system. Although many of the vulnerable drivers were disclosed at the time of our previous publication, two drivers from Intel were held under embargo until the fix and security advisory was available. These are now public at Intel Processor Identification Utility for Windows Advisory and Intel Computing Improvement Program Advisory as of August 13. Another driver held under embargo, thanks to the complexity of the difficulty, was the Intel PMx Driver (also named PMxDrv). During our analysis of the Intel PMx driver, we found it incredibly capable, containing a superset of all the capabilities that we had seen previously. for instance, the driving force has the power to:
- Read/Write to physical memory
- Read/Write to Model Specific Registers (MSR)
- Read/Write to regulate registers
- Read/Write to the interrupt descriptor table (IDT) and therefore the global descriptor table (GDT)
- Read/write to debug registers
- Arbitrarily gain I/O access
- Arbitrarily gain PCI access
This level of access can provide an attacker with near-omnipotent control over a victim device. Even as importantly, this capability has been included as a staple component of the many Intel ME and BIOS-related toolsets going back to 1999. Ironically, the very tool released by Intel to detect and mitigate a recent AMT vulnerability included the vulnerable driver as a part of the toolset wont to solve the AMT issue. Intel likewise uses the vulnerable driver as a part of the Flash Programming Tool, which is provided to OEM vendors and their customers to update Intel-based BIOS. This makes the Intel PMx/PMxDrv one among the foremost capable, feature-rich, and commonest drivers we’ve seen so far.
Elysium researchers are working closely with the Intel PSIRT team on the difficulty and would like to thank them for their prompt and positive response. As of November 12, Intel has released updated versions of pmxdrvx64.sys and pmxdrv. sys to mitigate this vulnerability.
Administrator to Kernel or Hardware
An unprivileged user might exploit the overwhelming majority of drivers we examined in our research to attack the running kernel or modify device firmware via unfiltered IO, PCI, or MMIO access. However, a couple of drivers had additional restrictions and were only allowed use by a process running with Administrator privileges.
Microsoft’s Windows security model for driver developers discusses various security boundaries in how drivers operate within the Windows OS and characterizes the trail between an admin process and a kernel driver as a “noteworthy trust boundary”:
“Path (2) may be a lower risk path because the app is running with admin rights and is looking directly into the kernel driver. Admin is already a reasonably high privilege on the system therefore the attack surface from admin to kernel is a smaller amount of a stimulating target to attackers, but still an interesting trust boundary.”
Source: https://docs.microsoft.com/en-us/windows-hardware/drivers/driversecurity/windows-security-model
However, Microsoft’s Security Servicing Criteria for Windows currently treats processes running in userspace with Administrator privileges effectively as equivalent because of the Windows kernel, and there’s no security boundary there. Superficially, that creates sense because the Administrator is meant to possess administrative control over the system, which necessarily includes the security configuration of the device. However, under deeper analysis, some significant flaws therein justification become apparent.
Although the Administrator controls the device, many security-sensitive operations are also restricted even from the Administrator. For example, once Secure Boot is enabled, a reboot and a process intended to verify physical presence should be required to disable it. Likewise, the Administrator cannot load unsigned kernel modules without rebooting and performing physically present operations during the boot process. Similarly, many security controls can’t be disabled at runtime without a reboot.
Allowing a compromised administrator to read and write kernel memory and otherwise launch attacks against the kernel renders these controls ineffective and leaves a gaping security hole. Alex Ionescu characterized things like “Windows 10: Kernel arbitrary writes from Admin aren’t bugs, there’s a celebration in ring0 and therefore the bouncer is off duty”.
In contrast, Apple’s System Integrity Protection is specifically intended to guard critical parts of the Mac OS against malicious software even running as root with full administrator privileges. As a result, system Integrity Protection is often disabled by the Administrator if necessary. Still, it can’t be done at runtime, and that they must turn the system off and boot into the Recovery OS to disable this protection.
Likewise, within the Linux ecosystem, the Kernel Lockdown feature also prevents the basis user from performing operations that may compromise the integrity of the kernel. This is often a crucial security control, and therefore the majority of Linux distributions are shipping versions of this protection mechanism for years. The patch has now been accepted into the mainline Linux kernel.
In addition, the Linux Self Protection Project has been working to strengthen the protections for this critical security boundary. Kees Cook, one among the founders of LSPP, described their goals as “It’s about creating a bright line between uid-0 and ring-0. the foremost power of those distinctions was made way back with signed modules. It hasn’t been enough, though, since there are some ways for uid-0 to read or write kernel memory. My expectation for this was to reasonably fill all the remaining gaps.”
It’s certainly an arduous task to defend this security boundary, but attackers are exploiting this in real-world malware campaigns like Lojax and Slingshot. So ignoring the matter doesn’t make it get away.
Updates on WinRing0
As a part of our previous research, we posted an inventory of vulnerable drivers, available here. One among the foremost significant was a driver often mentioned as “WinRing0”. Recently, researchers at SafeBreach provided a radical proof-of-concept analysis of an attack against HP Touchpoint Analytics, which utilizes the WinRing0 driver, which was included as a part of the OEM-installed software. In addition, SafeBreach demonstrated how the driving force might be wont to read arbitrary kernel memory and discussed how it might be misused during a sort of additional ways, including bypassing application allow listing, signature validation, and driver signature enforcement.
WinRing0 is additionally notable therein; it’s a part of the OpenHardwareMonitor library and is quickly accessible to anyone. As a result, it can easily be used and signed by multiple vendors and may potentially be found under a spread of names and hashes. For instance, a check of VirusTotal reveals that the first WinRing0 driver analyzed as a part of our research has been identified under a spread of names including:
Our research into vulnerable drivers is ongoing, and we are actively working with additional vendors as part of our responsible disclosure process. Users and organizations should consider enabling Hypervisor-protected Code Integrity (HVCI) for devices that support the feature. An inventory of requirements and directions for helping HVCI is out there here. We’ll still analyze this vital area and supply updates in coordination with affected vendors.
Short-Term and Long-Term Fixes
One of the key issues noted above is that there are no universally applicable thanks to preventing Windows from loading any of the bad drivers identified so far. However, in the future, Microsoft is addressing the difficulty through their HVCI technology. This may allow Microsoft to act as their virtual firewall to guard the OS kernel.
However, this approach won’t be available universally for a few time. This is because HVCI requires a 7th generation or newer processor, new processor features like mode-based execution control, and isn’t supported by many 3rd party drivers. As a result, many devices today won’t be ready to enable HVCI and can not be protected.
The only universally available option possible today is to dam or blacklist old, known-bad drivers. to the present end, we might wish to specifically commend the response of Insyde Software, a UEFI firmware vendor. Of the 19 vendors we notified early this summer, Insyde is that the only vendor so far to proactively contact Microsoft and ask that the old version of the driving force be blocked. Thanks to this request, Windows Defender will proactively quarantine the vulnerable version of the driving force so it can’t cause damage to the system.
User Questions
1.MS14-003 – Important: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of…
Severity Rating: Important
Revision Note: V1.0 (January 14, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a user logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be ready to go online locally to take advantage of this vulnerability.
2.From aware of driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw – Microsoft Security
From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw – Microsoft Security from netsec
3.How does this Dell driver vulnerability affect the computer? (in laymen’s terms)
How does this Dell driver vulnerability affect the computer? (in laymen’s terms) from NoStupidQuestions
4.What is the vulnerability of Windows?
All Windows Versions are Vulnerable
Like the obsolete passkey, the safety in Windows appears to guard you, but it cannot affect a determined attack without some external help. Designed for ease-of-use instead of security, all versions of Microsoft Windows are vulnerable.
5.How many vulnerabilities does Windows 10 have?
New Windows 10 Security Shock As 1,000 Vulnerabilities Revealed. Consistent with research from Beyond Trust, the total number of vulnerabilities concerning Microsoft products had risen by 48% compared to 2019.
