Windows drivers, it seems at least 34 unique drivers vulnerabilities of the Windows Driver Model protocols (WDM) and Windows Driver Frameworks (WDF) could have (been) exploited by malicious actors, without privileged access, to gain full control of devices and execute malicious code on underlying systems.
Windows Driver Model and Frameworks, what are the problems
“By exploiting the drivers, an attacker without privileges may erase/alter firmware and/or elevate operating system privileges“, has said Takahiro Haruyama, a senior cyber threat researcher working at VMware Carbon Black.
There research expands some of the previous studies on various cyber threats, such as ScrewedDrivers And POPKORN, who used thesymbolic execution to automate the discovery of vulnerable drivers; focuses specifically on drivers that allow access to firmware via port I/O and memory-mapped I/O.
Some vulnerable driver names include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841), that is to say fairly well-known system files in the Windows Drivers environment
Of the 34 drivers, six of them allow access to kernel memory that can be abused to elevate privileges and defeat security solutions; another twelve of the drivers, however, could be exploited for subvert security mechanisms such as kernel address space randomization (also called ASLR in Italian, Address Space Layout Randomization, in English).
Seven of the drivers, including Intel’s stdcdrv64.sys, can be used to erase the firmware in the SPI flash memory, making the system unbootable; fortunately Intel later released a fix for the problem.
VMware said it also identified WDF drivers such as WDTKernel.sys and H2OFFT64.sys which are not vulnerable in terms of access controlbut they can easily be exploited by hackers with privileged access (administrator, for example) to perform what is called an attack Bring Your Own Vulnerable Driver (BYOVD).
This technique has been used by various attackers all over the world, including, needless to say, check the Lazarus group linked to North Koreaas a way to gain elevated privileges and disable security software running on compromised endpoints in order to evade detection.
“Currently, the API/instructions field targeted by the script [IDAPython per l’analisi statica automatizzata dei driver vulnerabili x64] it is limited and limited to firmware access only“Haruyama said. “However, it is easy to extend the code to cover other attack vectors (e.g., terminating malicious processes).”.
Yet more proof of the importance of system updates
This discovery highlights further how crucial it is to keep your operating systems and device drivers updated (Windows Driver in this case).
Updates released by vendors They often include fixes for known vulnerabilities and are a key means of improving device security; ignore updates (which unfortunately many do when they shouldn’t) can leave systems exposed to known risks (and even unknown, in some cases), allowing attackers to exploit already patched vulnerabilities.
It should be noted that many of these updates (Windows Driver and more) are done in automatic from the latest versions of Windows (Windows 10 and Windows 11 at the time of writing), and many of these are installed through optional Windows updates (a function that has simplified life quite a bit in recent years, at least when it comes to drivers).
Therefore, it is essential that users and organizations adopt a rigorous update and maintenance policy to protect their devices from potentially harmful threats.
#Windows #Driver #drivers #vulnerabilities #discovered