Researchers analyzing the security of drivers for various Windows devices have found that more than 40 hardware drivers from at least 20 manufacturers can be used by attackers to achieve privilege escalation.
Hardware represents the building blocks of a computer running software. Drivers allow the operating system to recognize hardware components.
Driver programs allow communication between the kernel of the operating system and the hardware, with a higher level of permissions than a regular user and the system administrator.
Therefore, vulnerabilities in drivers are a very serious issue, as they can be used by a user to access the kernel, but also to gain higher privileges in the operating system (OS).
Drivers are also used to update the firmware, so the problem seems to become even more serious.
BIOS and UEFI firmware, for example, is low-level software that starts before the operating system when you turn on your computer. Malicious software embedded in the BIOS or UEFI is invisible to most security applications and cannot be removed even if you reinstall Windows.
Researchers at Eclypsium have discovered more than 40 Windows drivers that could be used by malicious users to gain higher privileges than a typical user, but also to gain access to the Windows kernel.
Affected manufacturers (see list below) include major BIOS vendors and big names in computer hardware such as ASUS, Toshiba, Intel, Gigabyte, Nvidia and Huawei.
According with Eclypsium:
All these vulnerabilities allow the driver to act as a proxy server providing extremely privileged access to hardware resources such as read and write access to the processor and I / O chipset, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.
From the kernel, the attacker can access various firmware and hardware interfaces, gaining substantial system permissions on the victim computer. It may not remain invisible as it is not detected by normal OS-level protection products.
Installing drivers on Windows requires administrator privileges and must come from Microsoft Certified Companies. The installation software code is also signed by valid Certificate Authorities, to prove its authenticity. If there is no trusted signature, Windows warns the user.
However, Eclypsium's research refers to legitimate drivers with valid signatures that are accepted by Windows. These drivers are not designed to be malicious, but they do contain vulnerabilities that could be circumvented by malicious users.
Windows: The risk is not hypothetical
Attacks exploiting vulnerable drivers are not theoretical. They have been detected in cyber hacking by hackers who usually have the "backs" of a large company or a government.
The Slingshot APT team used vulnerable drivers to gain higher privileges on infected computers. The Lojax rootkit from APT28 was a much more insidious attack as you add the malware to the UEFI firmware through a signed driver.
All modern versions of Windows are affected by this problem and there is no mechanism to prevent it.
Below is a list of affected companies: