At the DEF CON 27 security conference today in Las Vegas, security researchers from Eclypsium gave a talk about common design flaws they found in more than 40 kernel drivers from 20 different hardware vendors.
The common design flaws is that low-privileged applications can use legitimate driver functions to execute malicious actions in the most sensitive areas of the Windows operating system, such as the Windows kernel.
“There are a number of hardware resources that are normally only accessible by privileged software such as the Windows kernel and need to be protected from malicious read/write from userspace applications,” Mickey Shkatov, Principal Researcher at Eclypsium told ZDNet in an email earlier this week.
“The design flaw surfaces when signed drivers provide functionality which can be misused by userspace applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft,” he added.
Shkatov blames the issues he discovered on bad coding practices, which don’t take security into account.
“This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it’s written in a flexible way to just perform arbitrary actions on behalf of userspace,” he told ZDNet.
“It’s easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation.”
Impacted vendors
Shkatov said his company has notified each of the hardware vendors that were shipping drivers that allow userspace apps to run kernel code. Vendors who issued updates are listed below.
● American Megatrends International (AMI)
● ASRock
● ASUSTeK Computer
● ATI Technologies (AMD)
● Biostar
● EVGA
● Getac
● GIGABYTE
● Huawei
● Insyde
● Intel
● Micro-Star International (MSI)
● NVIDIA
● Phoenix Technologies
● Realtek Semiconductor
● SuperMicro
● Toshiba
“Some vendors, like Intel and Huawei, have already issued updates. Some which are IBVs [independent BIOS vendors] like Phoenix and Insyde are releasing their updates to their customer OEMs,” Shkatov told ZDNet.
The Eclypsium researcher said he did not name all the impacted vendors, though, as some “needed extra time due to special circumstances” and future fixes and advisories will be released in the future.
The Eclypsium researcher said he plans to publish the list of affected drivers and their hashes on GitHub, after the talk so users and administrators can block the affected drivers.
[The article will be updated with the link, when available.]
In addition, Shaktov said Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to them.
However, Shaktov said that the HVCI feature is only supported on 7th gen Intel CPUs and onwards. Manual intervention will be needed on older systems, and even on newer Intel CPUs where HVCI can’t be enabled.
“In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer,” Microsoft said in a statement. “To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security.Microsoft works diligently with industry partners to address to privately disclose vulnerabilities and work together to help protect customers.”
More details will be available on the Eclypsium blog later today.
More vulnerability reports:
- Microsoft names top security researchers, zero-day contributors
- Apple expands bug bounty to macOS, raises bug rewards
- Google: 95.8% of all bug reports are fixed before deadline expires
- New Dragonblood vulnerabilities found in WiFi WPA3 standard
- Unpatched KDE vulnerability disclosed on Twitter
- Security bugs in popular Cisco switch brand allow hackers to take over devices
- Google will now pay up to $30,000 for reporting a Chrome bug CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic
