Researchers analyzing the security of drivers for various Windows devices have found that more than 40 hardware drivers from at least 20 manufacturers can be used by attackers to achieve privilege escalation.
Hardware represents the building blocks of a computer running software. Drivers allow the operating system to recognize hardware components.
Driver programs allow communication between the kernel of the operating system and the hardware, with a higher level of permissions than a regular user and the system administrator.
Therefore, driver vulnerabilities are a very serious issue theme, as they can be used by a user to gain access to the kernel, but also to gain higher operating system (OS) privileges.
Drivers are also used to update the firmware, so the problem seems to become even more serious.
BIOS and UEFI firmware, for example, is low-level software that starts before the operating system when you turn on your computer. Malicious software embedded in the BIOS or UEFI is invisible to most security applications and cannot be removed even if you reinstall Windows.
Researchers at Eclypsium have discovered more than 40 Windows drivers that could be used by malicious users to gain higher privileges than a typical user, but also to gain access to the Windows kernel.
Affected manufacturers (see list below) include major BIOS vendors and big names in computer hardware such as ASUS, Toshiba, Intel, Gigabyte, Nvidia and Huawei.
According with Eclypsium:
All these vulnerabilities allow the driver to act as server proxy providing highly privileged access to hardware resources, such as read and write access to processor and chipset I/O, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.
From the kernel, the attacker can access various firmware and hardware interfaces, gaining substantial system permissions on the victim computer. It may not remain invisible as it is not detected by normal OS-level protection products.
Installing drivers on Windows requires administrator privileges and must come from Microsoft Certified Companies. The installation software code is also signed by valid Certificate Authorities, to prove its authenticity. If there is no trusted signature, Windows warns the user.
However, Eclypsium's research refers to legitimate drivers with valid signatures that are accepted by Windows. These drivers are not designed to be malicious, but they do contain vulnerabilities which can be circumvented by malicious users.
Windows: The risk is not hypothetical
Attacks exploiting vulnerable drivers are not theoretical. They have been detected in cyber hacking by hackers who usually have the "backs" of a large company or a government.
Η team Slingshot APT used vulnerable drivers to gain elevated privileges on infected computers. The Lojax rootkit from APT28 was a much more insidious attack as it added the malware to the UEFI firmware via a signed driver.
All modern versions of Windows are affected by this problem and there is no mechanism to prevent it.
Below is a list of affected companies: