[German]Security researchers have found in an analysis of legitimate device drivers that more than 40 drivers from at least 20 hardware vendors are vulnerable to privilege escalation.
Device drivers are located between the operating system and the UEFI/BIOS as well as the hardware. This means that the driver runs with higher privileges than standard users’ and administrators’ software. Some drivers are also used to update the firmware. Drivers in Windows are therefore digitally signed by Microsoft. And Windows 10 now only allows signed drivers. If malware succeeds in exploiting weak points in drivers, the door is open to manipulate the system and the firmware (via these drivers for firmware updates).
Security researchers at firmware and hardware security firm Eclypsium have found that common design flaw in dozens of device drivers allows widespread Windows compromise. More than 40 drivers are vulnerable to privilege escalation. User programs can use the drivers to get kernel permissions. Bleeping Computer has published the information in this article. Eclypsium writes about its findings:
All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.
This isn’t a theoretical risk. It is precisely these scenarios that have been used in cyber espionage operations in the past. According to Bleeping Computer, the Slingshot APT group used older vulnerable drivers to increase permissions on infected computers. The Lojax rootkit of APT28 (alias Sednit, Fancy Bear, Strontium Sofacy) was stored in the UEFI firmware via a signed driver. Eclypsium has so far published the following list of hardware vendors that provide vulnerable drivers for Windows.
American Megatrends International (AMI)
ATI Technologies (AMD)
Micro-Star International (MSI)
According to the article, this list is incomplete, as some information is still under embargo and unpublished. You can read the DEF CON presentation here.