At this year's DEF CON conference in Las Vegas, researchers from cybersecurity firm Eclypsium shared their findings indicating more than 40 different drivers from 20 hardware vendors contained poor code that could be exploited to mount an escalation of privilege attack. Even more worrisome, all these drivers had been certified by Microsoft.
The list of companies affected includes major BIOS vendors as well as hardware manufacturers like ASUS, Huawei, Intel, NVIDIA and Toshiba. Eclypsium also cautioned that these drivers affected all versions of Windows, meaning millions of users could be at risk.
The risk such drivers pose is that they may allow a malicious application at the user level to gain kernel privileges, thereby gaining direct access to firmware and the hardware itself. This could also mean that the malware could be installed directly into the firmware and, therefore, even reinstalling the operating system would not be enough to get rid of it.
Eclypsium explains the operation of these vulnerabilities as follows:
All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. This is a privilege escalation as it can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0). The concept of protection rings is summarized in the image below, where each inward ring is granted progressively more privilege. It is important to note that even Administrators operate at Ring 3 (and no deeper), alongside other users. Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware.
Since drivers are often the very means of updating firmware, "the driver is providing not only the necessary privileges, but also the mechanism to make changes," noted Eclypsium. If a vulnerable driver is already present on the system, a malicious application would only need to search for it in order to elevate privilege. However, if the driver is not present, a malicious application could bring the driver with it but would require administrator approval in order to install the drivers.
In a statement to ZDNet, Principal Researcher at Eclypsium, Mickey Shkatov, noted that "Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to them." However, the feature is only available on 7th generation and later Intel processors and therefore the drivers would need to be manually uninstalled in the case of older CPUs or even newer ones where HCVI is disabled.
Microsoft further clarified: "In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer." However, the issue here is the fact that an attacker who has compromised the system at Ring 3 in the above representation of privilege levels, could then gain kernel access.
In order to protect themselves from bad drivers, Microsoft advises users to utilise "Windows Defender Application Control to block known vulnerable software and drivers." It also stated, "Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security."
Eclypsium has a complete list of all the vendors who have already updated their drivers on its blog post pertaining to the matter, though it notes that some of the vendors affected have not yet been named as they are still working on providing fixes. Its researchers will also upload a list of the affected drivers and their hashes on GitHub later so users can manually disable them if they have them on their device.