At this year’s DefCon security conference, security researchers from Eclypsium revealed in a presentation that they have discovered common design flaws in over 40 kernel drivers from 20 different hardware vendors.
The design flaws found in the drivers could allow low-privileged applications to use legitimate driver functions to execute malicious actions within the most sensitive areas of Microsoft’s Windows including the Windows kernel.
Principal Researcher at Eclypsium, Mickey Shkatov provided more details on the firm’s discovery in an email to ZDNet, saying:
“There are a number of hardware resources that are normally only accessible by privileged software such as the Windows kernel and need to be protected from malicious read/write from userspace applications. The design flaw surfaces when signed drivers provide functionality which can be misused by userspace applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft.”
According to Shkatov, bad coding practices that don’t take security into account are responsible for the flaws. Instead of making a driver only perform specific tasks, hardware vendors often write their code to be more flexible which in turn puts the security of systems using the drivers at risk.
Driver security flaws
Eclypsium has notified all of the hardware vendors whose drivers allow userspace apps to run kernel code and so far the list of affected companies includes American Megatrends International (AMI), ASRock, ASUSTeK Computer, AMD, Biostar, EVGA, Getac, GIGABYTE, Huawei, Insyde, Intel MSI, NVIDIA, Phoenix Technologies, Realtek Semiconductor, SuperMicro and Toshiba.
Shkatov points out that some vendors such as Intel and Huawei have already issued updates while independent BIOS vendors like Phoenix and Insyde are releasing updates to their customer OEMs. However, Eclypsium has not yet named all of the impacted vendors as some need extra time to address the issue.
Microsoft offered further clarity on the matter in a statement, saying:
“In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer. To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security. Microsoft works diligently with industry partners to address to privately disclose vulnerabilities and work together to help protect customers.”
For those interested in learning more, Eclypsium has published all of the details about its findings in a blog post on its site.