Security Flaws in 40 Kernel Drivers from 20 Vendors Are Found

Security Flaws in 40 Kernel Drivers from 20 Vendors

Researchers from Eclypsium, a firmware security company analyzes device drivers from major vendors and finds security flaws in 40 kernel drivers from 20 vendors. These security flaws can be used to deploy persistent malware.

Security flaws in 40 kernel drivers from 20 vendors can be a serious threat. Device drivers are used to offer access to UEFI/BIOS and other system components to allow you to change settings, update firmware, and perform diagnostics. 

However, the vulnerabilities in these drivers allow attackers to upgrade privileges to the highest level and let them very persistent. 

Previously, privilege escalation flaws were discovered in drivers of Gigabyte, ASRock, ASUS, Huawei and others, and some sophisticated threats deployed rootkits by using these types of weaknesses. 

Eclypsium wants to find out how common device driver vulnerabilities are, so its researchers analyze software of ASUS, ATI, AMI, Biostar, EVGA, Getac, Gigabyte, Huawei, Intel, MSI, Phoenix Technologies, Realtek, Toshiba, and other vendors. 

Eclypsium points out that the security flaws in these drivers can be used to upgrade privileges from user mode to kernel mode. This allows malware running on the target machine to access the operating system, firmware interfaces and the hardware of a device. 

If the target machine does not already have a vulnerable driver, attackers can install the driver, but this requires system’s administrator privileges. 

The principal researcher at Eclypsium said that the drivers that are tested have the same level of vulnerability – on behalf of user-space requests, kernel drivers can execute arbitrary access to privileged components for reading or writing contents that should be protected from user-space. Even so, the specific access primitives and privileged resources for each driver are different. 

This principal researcher also explains that a userspace application is able to tell the driver to read or write physical memory/security-critical CPU/kernel memory, or execute arbitrary PCI/IO access to devices according to different drivers. 

The above is the general information of security flaws in 40 kernel drivers from 20 vendors, and the following part will introduce the information of some impacted vendors. 

Impacted Vendors

Eclypsium finds security flaws in many major kernel drivers and there are many impacted vendors. 

Eclypsium states that all drivers are from trusted manufacturers, valid Certificate Authorities sign the files, and Microsoft certifies these files. These problems can occur in all Microsoft Windows modern versions, and no universal mechanism are found to prevent Windows machines from loading these known bad drivers. 

Group policies and other features that are specific to Windows Server, Windows Enterprise and Windows Pro are implemented, which may provide some protection for you. Once you install these drivers, they can reside on the device for a long time, unless you specifically update or uninstall them. 

Each affected vendor has been notified and they are given over 90 days to release patches. Only Huawei and Intel have released public advisories and patches. Insyde and Phoenix provide their OEM customers with patches. 

Two other vendors promise to release patches, eight confirm they receive the bug report but they never say if and when they would release patches, and five have not responded so far. 

Eclypsium also notifies Microsoft. Microsoft says attackers need access to targeted devices before they launch such attacks. To mitigate such problems, you need to block known vulnerable software and drivers with Windows Defender Application Control and enable memory integrity for capable devices in Windows Security.

Bottom Line

This post has shown you researchers in Eclypsium found vulnerabilities in device drivers from 20 vendors. It also shows you some affected vendors.