Researchers analyzing the security of drivers for various Windows devices have found that more than 40 hardware drivers from at least 20 manufacturers can be used by attackers to achieve privilege escalation.
Hardware represents the building blocks of a computer running software. Drivers allow the operating system to recognize hardware components.
Driver programs allow communication between the kernel of the operating system and the hardware, with a higher level of permissions than a regular user and the system administrator.
Therefore, vulnerabilities in drivers are a very serious issue, as they can be used by a user to access the kernel, but also to gain higher privileges in the operating system (OS).
Drivers are also used to update the firmware, so the problem seems to become even more serious.
BIOS and UEFI firmware, for example, is low-level software that starts before the operating system when you turn on your computer. Malicious software embedded in the BIOS or UEFI is invisible to most security applications and cannot be removed even if you reinstall Windows.
Researchers at Eclypsium have discovered more than 40 Windows drivers that could be used by malicious users to gain higher privileges than a typical user, but also to gain access to the Windows kernel.
Affected manufacturers (see list below) include major BIOS vendors and big names in computer hardware such as ASUS, Toshiba, Intel, Gigabyte, Nvidia and Huawei.
According with Eclypsium:
All these vulnerabilities allow to program οδήγησης να ενεργεί σαν διακομιστής μεσολάβησης (proxy) παρέχοντας μια εξαιρετικά προνομιακή πρόσβαση στους πόρους του hardware, όπως πρόσβαση ανάγνωσης και εγγραφής στον επεξεργαστή και το chipset Ι/Ο, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory και kernel Interactive memory.
From the kernel, the attacker can access various firmware and hardware interfaces, gaining substantial system permissions on the victim computer. It may not remain invisible as it is not detected by normal OS-level protection products.
Installing drivers on Windows requires administrator rights and must come from companies certified by Microsoft. Its code software installation is also signed by valid Certificate Authorities, to prove its authenticity. In case there is no trusted signature, Windows warns the user.
However, Eclypsium's research refers to legitimate drivers with valid signatures that are accepted by Windows. These drivers are not designed to be malicious, but they do contain vulnerabilities that could be circumvented by malicious users.
Windows: The risk is not hypothetical
Attacks exploiting vulnerable drivers are not theoretical. They have been detected in cyber hacking by hackers who usually have the "backs" of a large company or a government.
The Slingshot APT team used vulnerable drivers to gain higher privileges on infected computers. The Lojax rootkit from APT28 was a much more insidious attack as you add the malware to the UEFI firmware through a signed driver.
All modern versions of Windows are affected by this problem and there is no mechanism to prevent it.
Below is a list of affected companies: