Discover security holes in 40 kernel drivers of 20 famous PC component manufacturers

At the DEF CON 27 security conference held today in Las Vegas, security researchers from Eclypsium had a talk about the common design vulnerabilities they discovered on more than 40 kernel drivers. from 20 different hardware manufacturers.

The common design vulnerabilities mentioned here allow low-priority applications to use their own driver functions to perform shady actions in the most sensitive areas of the operating system. Windows, such as Windows kernel.

” There are a large number of hardware resources that are usually only accessible by preferred software, such as the Windows kernel, and need to be protected from dangerous read / write behaviors from user applications.” – Mickey Shkatov, researcher at Eclypsium said.

” Design flaws appear when signed drivers provide functions that can be exploited by user applications to execute full read / write commands on sensitive resources without periodic gawpjbaats. any limitation or check from Microsoft “- he added.

Shkatov said the problems he discovered were caused by too bad coding, not interested in security during software programming.

” This is a very common non-standard software design behavior, when instead of letting the driver only perform specific tasks, they are written in a flexible way to optionally execute the actions. dynamic as a user “

“Developing software by making the driver structure and applications easier, but it opens the system for others to take advantage of.”

Manufacturers are affected by design flaws

Shkatov said his company had informed each hardware manufacturer that the driver had a vulnerability, allowing user applications to run kernel code. Manufacturers have released patch updates listed below:

– American Megatrends International (AMI)
– ASRock
– ASUSTek Computer
– ATI Technologies (AMD)
– Biostar
– EVGA
– Getac
– GIGABYTE
– Huawei
– Insyde
– Intel
– Micro-Star International (MSI)
– NVIDIA
– Phoenix Technologies
– Realtek Semiconductor
– SuperMicro
– Toshiba

” Some manufacturers, like Intel and Huawei, have released updates. Some of these are IBVs (independent BIOS manufacturers) like Phoenix and Insyde, which are also about to release updates. to their OEM customers “- Shkatov said.

Eclypsium researcher said he did not name all producers affected by the vulnerability, because some ” need more time for special situations”, and patches and instructions will be released. out in the future.

He also said that he will post the list of affected drivers and their hash on GitHub after the talk so that users and system administrators can block affected drivers.

Besides, Shkatov also said that Microsoft will use the HVCI (Hypervisor-enforced Code Integrity) to bring the reported drivers to them into a blacklist.

However, Shkatov confirmed the HVCI feature is only supported on 7th-generation Intel CPUs and later. Older systems will need manual intervention, and even newer Intel CPUs that cannot enable HVCI.

” In order to take advantage of affected drivers, an attacker will need to interfere with the computer beforehand,” Microsoft said. ” To help minimize this type of problem, Microsoft recommends that customers use Windows Defender Application Control to block known software and drivers. Customers can better protect themselves by enabling the feature. memory protection on devices that can be activated in Windows Security Microsoft will actively cooperate with industry partners to solve the disclosed vulnerabilities discreetly and work together to protect customers.”

Reference: ZDNet