A team of security researchers has discovered high-risk security vulnerabilities in more than 40 drivers from at least 20 different vendors that could allow attackers to gain most privileged permission on the system and hide malware in a way that remains undetected over time, sometimes for years.
For sophisticated attackers, maintaining persistence after compromising a system is one of the most important tasks, and to achieve this, existing hardware vulnerabilities sometimes play an important role.
One such component is a device driver, commonly known as a driver or hardware driver, a software program that controls a particular type of hardware device, helping it to communicate with the computer's operating system properly.
Since device drivers sit between the hardware and the operating system itself and in most cases have privileged access to the OS kernel, a security weakness in this component can lead to code execution at the kernel layer.
This privilege escalation attack can move an attacker from user mode (Ring 3) to OS kernel-mode (Ring 0), as shown in the image, allowing them to install a persistent backdoor in the system that a user would probably never realize.
"All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, which could allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host," the researchers explain in their report titled 'Screwed Drivers.'
"Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware."
Since malware running in the user space can simply scan for a vulnerable driver on the victim machine to compromise it, attackers don't have to install their own vulnerable driver, installing which otherwise requires system administrator privileges.
All the vulnerable drivers, as listed below, uncovered by the researchers, have been certified by Microsoft.
- American Megatrends International (AMI)
- ASUSTeK Computer
- ATI Technologies (AMD)
- Micro-Star International (MSI)
- Phoenix Technologies
- Realtek Semiconductor
The list also includes three more hardware vendors which researchers did not name yet, as they are "still under embargo due to their work in highly regulated environments and will take longer to have a fix certified and ready to deploy to customers."
"Some vulnerable drivers interact with graphics cards, network adapters, hard drives, and other devices," researchers explain. "Persistent malware inside these devices could read, write, or redirect data stored, displayed, or sent over the network. Likewise, any of the components could be disabled as part of a DoS or ransomware attack."
Device driver flaws can be more dangerous than other application vulnerabilities because it allows an attacker access to the "negative" firmware rings that lie beneath the operating system and maintain persistence on the device, even if the operating system is completely reinstalled, just like in case of LoJax malware.
Researchers have reported these vulnerabilities to the affected vendors, of which some, including Intel and Huawei, have already released patch updates and issued a security advisory.
Besides this, researchers have also promised to soon release a script on GitHub that would help users find wormhole drivers installed on their systems, along with proof-of-concept code, video demonstrations, and links to vulnerable drivers and tools.