Signed, Certified, But Still Vulnerable – Flaws Discovered in 40 Kernel Drivers from 20 Different Vendors
At the DEF CON 27 security conference in Las Vegas, security researchers from around the world shared some of the most damning exploits in the industry. One such report came from Eclypsium researchers revealing design flaws in more than 40 kernel drivers from 20 different vendors potentially affecting millions of Windows users.
"Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host," the researchers wrote. They added that "the problem of insecure drivers is widespread" as it at least affects over 40 drivers from different vendors.
These include "every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei."
But the reason why this is such a widespread issue has to do with Microsoft, Eclypsium researchers said: "all the vulnerable drivers we discovered have been certified by Microsoft." They added that a vulnerable driver can provide an attacker with "improperly elevated privileges" and they have engaged with Microsoft to better protect against these vulnerabilities by taking steps like blacklisting known bad drivers.
The concern here is that because these drivers have been signed or certified by valid Certificate Authorities, they can't be considered as rogue. They are delivered by trusted third-party vendors and are certified by Microsoft. "These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers," the research noted. "Implementing group policies and other features specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users."
Once installed, these drivers can reside on a device for long periods of time unless specifically updated or uninstalled. In addition to the drivers which are already installed on the system, malware can bring any of these drivers along with them to perform privilege escalation and gain direct access to the hardware.
The researchers recommended both Microsoft and the third-party vendors to be more vigilant with these types of vulnerabilities.
In response, Microsoft issued a statement that said "an attacker would need to have already compromised the computer" in order to exploit vulnerable drivers. The company added that customers should use Windows Defender Application Control to block known vulnerabilities.
"To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security. Microsoft works diligently with industry partners to address to privately disclose vulnerabilities and work together to help protect customers."
Affected vendors include ASRock, ASUSTeK Computer, ATI Technologies (AMD), Biostar, EVGA, Getac, GIGABYTE, Huawei, Insyde, Intel, Micro-Star International (MSI), NVIDIA, Phoenix Technologies, Realtek Semiconductor, SuperMicro, and Toshiba. But the list doesn't end here. Some of the vendors haven't been named yet as their work is in "highly regulated environments and will take longer to have a fix certified and ready to deploy to customers," researchers added. They also added that Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to the company. HVCI feature is, however, only supported on 7th Gen and newer Intel CPUs.
- Technical details of how these flaws can be exploited available over at the official blog post.