More than forty models of drivers for PCs from twenty different manufacturers contain dangerous vulnerabilities that allow an attacker to increase their privileges in the system.
Hardware is the base that enables work of programs while system uses drivers to recognize and interact with hardware components.The driver code allows establishing a connection between the hardware and kernel of the OS with privileges higher than has regular user or even an administrator. In this regard, vulnerabilities in drivers pose a great danger as with their help an attacker can gain the highest privileges and get to the kernel of the OS.
While drivers are also used to update hardware firmware, through vulnerabilities an attacker can gain access to components at a deeper level and interfere with their work or completely disable it.
Eclypsium specialists identified vulnerabilities in more than forty drivers (including those from ASUS, Toshiba, Intel, Gigabyte, Nvidia, and Huawei) that could increase their privileges from the user level to the kernel level.
“Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor. The widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft”, — reported Eclypsium specialists.
According to them, with the help of vulnerabilities, attackers can use driver as a proxy for access with high privileges to hardware components and, for example, read/write data in the processor, as well as gain access to the I/O space, model-independent registers (MSR) that control registers (CR), debug registers (DR), physical memory, and kernel virtual memory.
Vulnerable drivers are used in all devices running current versions of Windows, including Windows 10.
“The problems affect all modern versions of Microsoft Windows, and there is currently no universal mechanism that prevents a Windows machine from loading one of these drivers”, — the researchers said.
Mitigation
The presence of vulnerable drivers can make it increasingly challenging to secure the firmware attack surface.
Vulnerable or outdated system and component firmware is a common problem and a high value target for attackers, who can use it to launch other attacks, completely brick systems, or remain on a device for years gathering data, even after the device is wiped. To make matters worse, in this case, the very drivers and tools that would be used to update the firmware are themselves vulnerable and provide a potential avenue for attack. As a result, organizations should not only continuously scan for outdated firmware, but also update to the latest version of device drivers when fixes become available from device manufacturers.
Read also: Hacker can get in an iPhone by simply sending a text message
Organizations may also want to keep their firmware up to date, scan for vulnerabilities, monitor and test the integrity of their firmware to identify unapproved or unexpected changes.