Flaws in device drivers from 20 vendors allow hackers to install a persistent backdoor

Researchers discovered multiple flaws in more than 40 device drivers from at least 20 different vendors that could to install a persistent backdoor on Windows PCs.

Experts at firmware security firm Eclypsium have conducted a study on the device drivers from major vendors and discovered serious issues in over 40 drivers from 20 companies.

The researchers warn that the vulnerabilities that can be exploited by attackers to deploy persistent backdoor on vulnerable systems.

Flawed drivers were developed by several major vendors, including ASUS, Toshiba, Intel, NVIDIA, and Huawei, below the complete list:

• American Megatrends International (AMI)
• ASRock
• ASUSTeK Computer
• ATI Technologies (AMD)
• Biostar
• EVGA
• Getac
• GIGABYTE
• Huawei
• Insyde
• Intel
• Micro-Star International (MSI)
• NVIDIA
• Phoenix Technologies
• Realtek Semiconductor
• SuperMicro
• Toshiba

Device drivers are computer programs that provide a software interface to hardware devices connected to computers, they enable operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used.

Device drivers operate between the hardware and the operating system and usually have high privileges that allow them to access the OS kernel. A vulnerability affecting devices drivers could be exploited by attackers to execute malicious code at the kernel layer.

A privilege escalation issue could be exploited to allow to operate from user mode (Ring 3) to OS kernel-mode (Ring 0) and install a persistent malware in the target system without raising suspicion.

Some of the issues could be exploited by attackers to read/write the kernel memory, the model-specific registers (MSRs), the Control Registers (CR), the Debug Registers (DR), and the physical memory.

“All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.” reads the report published by the experts.

“It is important to note that even Administrators operate at Ring 3 (and no deeper), alongside other users. Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware.”

Experts pointed out that a signed driver doesn’t mean that is it secure. All the flawed device drivers analyzed by the researchers have been certified by Microsoft and signed with valid certificates issued by legit Certificate Authorities. 

“a vulnerable driver could also give an attacker access to the “negative” firmware rings that lie beneath the operating system. As seen with the LoJax malware, this allows malware to attack vulnerable system firmware (e.g. UEFI) to maintain persistence on the device, even if the operating system is completely reinstalled.” continues the report.

The researchers also analyzed device drivers from three more unnamed vendors that are still under embargo due to their work in highly regulated environments.

The researchers explained that the flaws could also impact device components (i.e. graphics cards, network adapters, hard drives) that interact with vulnerable device drivers. An attacker could implant a persistent malware inside these devices to read, write, or redirect data stored, displayed or sent over the network.

Researchers reported the vulnerabilities to the affected vendors and some of them quickly addressed them. including Intel and Huawei.

Experts plan to release a PoC exploit code for the flaws and a script that would be used to find flawed device drivers installed on a computer.

The DEF CON presentation is available here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – device drivers, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]