Microsoft Found a Critical Vulnerability in Huawei Laptops

Microsoft Found a Critical Vulnerability from Huawei

With the continuous improvement of kernel mitigations and the increase of the bar for using native kernel components, attackers pay more attention to third-party kernel drivers. A flaw in a signed third-party driver may have a serious influence: attackers use it to escalate privileges bypass driver signature enforcement.

Usually, computer vendors ship devices with tools and software that facilitate device management. These tools including drivers often contain components running with ring-0 privileges in the kernel. By default, these components are installed. And each component must be as safe as the kernel. Once there is one flawed component, the whole kernel security design will be in the risk.

When Microsoft investigated an alert raised by Microsoft Defender Advanced Threat Protection’s kernel sensors, such a driver was found. The anomalous behavior stemmed from a device management driver developed by Huawei. And after digging deeper, a lapse in the design led to a flaw that could allow local privilege escalation.

Security Flaw in Huawei Laptops

To be specific, the nasty privileged execution vulnerability was discovered in the Huawei PCManager driver software that comes pre-installed on almost all the Huawei MateBook laptops. The flaw has left Huawei users exposed to kernel-level attacks.

Huawei driver flaw was detected after new kernel sensors were brought into Windows 10 through the much-maligned October 2018 Update V1803.

As part of Microsoft’s response to the WannaCry malware attack in 2017, these sensors are meant to address the difficulty of detecting malicious code running in the kernel and detect use-space asynchronous procedure call (APC) code injection from the kernel, to stop a security compromise from happening again.

The driver utility of Huawei was flagged by the new sensors and reported to Microsoft via Microsoft Defender ATP. And then the ATP team reverse-engineered the driver so as to figure out what it was doing.

The investigation led researchers to the executable MateBookService.exe. Because of a flaw in Huawei’s watchdog mechanism for HwOs2Ec10x64.sys, attackers can create a malicious instance of the MateBookService.exe in order to gain the privileges they’d need.

By using the critical vulnerability in Huawei laptops, attackers can take code with low privileges and read and write to more critical processes or to kernel space. As a result, the flaw could lead to a full machine compromise.

“An attacker-controlled instance of MateBookService.exe will still be granted access to the device \\.\HwOs2EcX64 and be able to call some of its IRP functions. Then, the attacker-controlled process could abuse this capability to talk with the device to register a watched executable of its own choice. Given the fact that a parent process has full permissions over its children, even a code with low privileges might spawn an infected MateBookService.exe and inject code into it.”Microsoft

Final Words

For MateBook users, there is no need to panic. This is because Microsoft alerted Huawei to this security flaw that was patched in January. But it is embarrassing for Huawei and does little to help the statement that Huawei products are safe.

But for users, this is just a reminder: no matter which laptop or desktop to own, security software is necessary, for example, Symantec Norton Security.

Besides, to keep PC safe, we recommend users to back up their computers regularly with professional Windows backup software, MiniTool ShadowMaker.