Researchers analyzing the security of drivers for various Windows devices have found that more than 40 hardware drivers from at least 20 manufacturers can be used by attackers to achieve privilege escalation.
Hardware represents the building blocks of a computer running software. Drivers allow the operating system to recognize hardware components.
Driver programs allow communication between the kernel of the operating system and the hardware, with a higher level of permissions than a regular user and the system administrator.
Therefore, vulnerabilities in drivers are a very serious issue, as they can be used by a user to access the kernel, but also to gain higher privileges in the operating system (OS).
Drivers are also used to update firmware, so the problem seems to be getting even more serious.
BIOS and UEFI firmware, for example, is low-level software that starts before the operating system when you turn on your computer. Malicious software embedded in the BIOS or UEFI is invisible to most security applications and cannot be removed even if you reinstall Windows.
Researchers at Eclypsium have discovered more than 40 Windows drivers that could be used by malicious users to gain higher privileges than a typical user, but also to gain access to the Windows kernel.
Affected manufacturers (see list below) include major BIOS vendors and big names in computer hardware such as ASUS, Toshiba, Intel, Gigabyte, Nvidia and Huawei.
According with Eclypsium:
All these vulnerabilities allow the driver to act as a proxy server providing extremely privileged access to hardware resources such as read and write access to the processor and I / O chipset, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel Interactive memory.
From the kernel, the attacker can gain access to various firmware and hardware interfaces, effectively gaining system privileges on the victim's computer. It may not remain invisible since it is not detected by normals productprotections, which operate at the OS level.
Installing drivers on Windows requires administrator rights and must come from certified companies from the Microsoft. The installer code is also signed by valid Certificate Authorities to prove its authenticity. In case there is no trusted signature, Windows warns the user.
However research by Eclypsium refers to legitimate drivers with valid signatures that are accepted by Windows. These drivers are not designed to be malicious, but contain vulnerabilities that can be circumvented by malicious users.
Windows: The risk is not hypothetical
Attacks exploiting vulnerable drivers are not theoretical. They have been detected in cyber hacking by hackers who usually have the "backs" of a large company or a government.
The Slingshot APT team used vulnerable drivers to gain higher privileges on infected computers. The Lojax rootkit from APT28 was a much more insidious attack as you add the malware to the UEFI firmware through a signed driver.
All modern versions of Windows are affected by this problem and there is no mechanism to prevent it.
Below is a list of affected companies: