Spurred by several past instances of attackers abusing device drivers to install a kernel rootkit or malicious firmware implants, Eclypsium researchers have decided to probe the security of a wide array of drivers.
There is a lot of “bad” drivers out there
The result of their research was disappointing: more than 40 signed kernel mode drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei – were found to be insecure. And, unfortunately, all these have been certified by Microsoft for use on Windows.
“A vulnerable driver installed on a machine could allow an application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver. In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware,” the researchers noted.
“A vulnerable driver could also give an attacker access to the ‘negative’ firmware rings that lie beneath the operating system. As seen with the LoJax malware, this allows malware to attack vulnerable system firmware (e.g. UEFI) to maintain persistence on the device, even if the operating system is completely reinstalled. Since many of the drivers themselves are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes.”
The researchers shared attack scenarios and additional technical details in a presentation at DEF CON.
What is being done about it?
Eclypsium has shared a (partial) list of affected vendors, and it includes ASRock, ASUSTeK Computer, ATI Technologies (AMD), Biostar, EVGA, Getac, GIGABYTE, Huawei, Insyde, Intel, Micro-Star International (MSI), NVIDIA, Phoenix Technologies, Realtek Semiconductor, SuperMicro, and Toshiba.
Some of them, like Intel, Huawei and Phoenix Technologies, have already made available updated drivers, signed with new certificates.
The Insyde Software Security Team has, in addition to that, started a fresh study of their drivers and applications that use the impacted drivers.
“We followed Microsoft’s updated Windows driver guidelines to redesign our applications and drivers. We also reduced the overall access requirements of our applications. New versions of our application packages with these and other security enhancements were released to our customers starting last month. We continue to work towards a full resolution for all platforms impacted,” they said.
Eclypsium researchers have not named all affected vendors yet “due to their work in highly regulated environments” and will allow them more time get a fix certified and ready to deploy to customers before they go public with the names. They have promised, in due course, to publish a list of affected drivers so that admins and users can block it.
“To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security,” Microsoft explained.
Also, according to one of the researchers, Microsoft will use its Hypervisor-enforced Code Integrity (HVCI) capability to blacklist reported drivers. Still, that feature can’t be enabled or isn’s supported on many Intel CPUs – both older and newer – so manual intervention will be required on many systems.
The presence of vulnerable drivers can make it increasingly challenging to secure the firmware attack surface, the researchers noted.
Aside from regularly updating to the latest version of device drivers when fixes become available from device manufacturers, they advise organizations to continuously scan for outdated firmware (and update it), to scan for vulnerabilities, and to monitor and test the integrity of their firmware to identify unapproved or unexpected changes.