At the DEF CON 27 security conference today in Las Vegas, security researchers from Eclypsium gave a talk about common design flaws they found in more than 40 kernel drivers from 20 different hardware vendors.
The common design flaws is that low-privileged applications can use legitimate driver functions to execute malicious actions in the most sensitive areas of the Windows operating system, such as the Windows kernel.
“There are a number of hardware resources that are normally only accessible by privileged software such as the Windows kernel and need to be protected from malicious read/write from userspace applications,” Mickey Shkatov, Principal Researcher at Eclypsium told ZDNet in an email earlier this week.
“The design flaw surfaces when signed drivers provide functionality which can be misused by userspace applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft,” he added.
Shkatov blames the issues he discovered on bad coding practices, which don’t take security into account.
“This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it’s written in a flexible way to just perform arbitrary actions on behalf of userspace,” he told ZDNet.
“It’s easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation.”
Shkatov said his company has notified each of the hardware vendors that were shipping drivers that allow userspace apps to run kernel code. Vendors who issued updates are listed below.
● American Megatrends International (AMI)
● ASUSTeK Computer
● ATI Technologies (AMD)
● Micro-Star International (MSI)
● Phoenix Technologies
● Realtek Semiconductor
“Some vendors, like Intel and Huawei, have already issued updates. Some which are IBVs [independent BIOS vendors] like Phoenix and Insyde are releasing their updates to their customer OEMs,” Shkatov told ZDNet.
The Eclypsium researcher said he did not name all the impacted vendors, though, as some “needed extra time due to special circumstances” and future fixes and advisories will be released in the future.
The Eclypsium researcher said he plans to publish the list of affected drivers and their hashes on GitHub, after the talk so users and administrators can block the affected drivers.[The article will be updated with the link, when available.]
In addition, Shaktov said Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to them.
However, Shaktov said that the HVCI feature is only supported on 7th gen Intel CPUs and onwards. Manual intervention will be needed on older systems, and even on newer Intel CPUs where HVCI can’t be enabled.
“In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer,” Microsoft said in a statement. “To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security.Microsoft works diligently with industry partners to address to privately disclose vulnerabilities and work together to help protect customers.”
More details will be available on the Eclypsium blog later today.