top of page

Critical Vulnerability Alert: 34 Windows Drivers Pave the Way for Full Device Hijack

In a worrisome discovery, a group of vigilant researchers has unearthed a total of 34 vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers that could spell trouble for device security. These drivers could potentially be exploited by non-privileged threat actors, granting them full control over the compromised devices and allowing them to execute arbitrary code on the underlying systems.


Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, paints a concerning picture of these vulnerabilities: "By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges."


Cybersecurity This revelation builds upon prior studies like ScrewedDrivers and POPKORN, which utilized symbolic execution to automatically uncover vulnerable drivers. The new research zeroes in on drivers that provide firmware access via port I/O and memory-mapped I/O.


Among the list of precarious drivers are names like AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, and PDFWKRNL.sys (CVE-2023-20598). The potential ramifications of exploiting these drivers are wide-ranging.


Device Takeover Of the 34 identified drivers, six possess the alarming ability to access kernel memory, a power that could be harnessed to elevate privilege and outmaneuver security measures. A dozen of the drivers harbor the capability to undermine security mechanisms like kernel address space layout randomization (KASLR).


An additional seven drivers, including Intel's stdcdrv64.sys, are capable of erasing firmware stored in the SPI flash memory, rendering the entire system unbootable. Intel has taken corrective action to address this issue.


Moreover, VMware's researchers have identified certain WDF drivers, such as WDTKernel.sys and H2OFFT64.sys, which are not directly vulnerable concerning access control.


Nevertheless, skilled threat actors could easily weaponize them to execute what's known as a "Bring Your Own Vulnerable Driver (BYOVD)" attack. This tactic has previously been leveraged by malevolent adversaries, including the North Korea-linked Lazarus Group, as a means to gain elevated privileges and disarm security software on compromised endpoints, thereby avoiding detection.


Cybersecurity It's important to note that the current scope of the APIs/instructions covered by the IDAPython script for automating static code analysis of x64 vulnerable drivers remains somewhat narrow, primarily focusing on firmware access.


This revelation raises the alarm for the cybersecurity community, emphasizing the urgent need to stay vigilant and updated to counteract the growing threats in the digital landscape.

4 views0 comments

Recent Posts

See All

Comments


bottom of page