Researchers have discovered that non-privileged attackers are exploiting as many as 34 distinct Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers with vulnerabilities, enabling them to achieve complete control over the associated devices and execute any desired code on the underlying systems.
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, stated, “By taking advantage of the drivers, an attacker without privilege can erase or change firmware and/or elevate [operating system] privileges.”
This study builds upon earlier research projects such as ScrewedDrivers and POPKORN, which employed symbolic execution to identify vulnerable drivers automatically. The focus here primarily centers on drivers that grant firmware access via memory-mapped I/O and port I/O.
Some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys.
Out of the 34 drivers, six provide access to kernel memory, potentially granting attackers additional power to bypass security measures. Furthermore, twelve of these drivers could potentially compromise security measures like kernel address space layout randomization (KASLR).
Seven of the drivers, including Intel’s stdcdrv64.sys, could be utilized to erase firmware from SPI flash memory, rendering the machine incapable of starting. It’s worth noting that Intel has already addressed this issue.
VMware also identified WDF drivers like WDTKernel.sys and H2OFFT64.sys, which may not have weak access controls but can still be exploited by threat actors with access, allowing for what is referred to as a Bring Your Own Vulnerable Driver (BYOVD) attack.
Various adversaries, including the Lazarus Group with suspected ties to North Korea, have employed this method to gain elevated privileges and disable security software on compromised endpoints, ensuring they remain undetected.
“The current scope of the APIs/instructions targeted by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is narrow and only limited to firmware access,” said Haruyama.
“However, it is easy to extend the code to cover other attack vectors (e.g. terminating arbitrary processes).”
As the cybersecurity landscape continues to evolve, understanding and addressing vulnerabilities in drivers is paramount to maintaining the security and integrity of computer systems.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.