Vulnerabilities found in drivers released by Intel, AMD, Nvidia and several other vendors can potentially give bad actors full control of Windows-based computers and their underlying firmware, even after the operating system is reinstalled, according to new research from an Intel-backed security firm.
Eclypsium, a security startup backed by Intel Capital and Andreessen Horowitz, disclosed the vulnerabilities, collectively dubbed "Screwed Drivers," over the weekend, saying that more than 40 drivers from at least 20 different vendors are impacted.
The firm said the vulnerabilities, which impact all modern versions of Windows, highlight a "fundamental issue" with Microsoft's driver certification process.
"Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers," Eclypsium wrote in a blog post.
Eclypsium, which provides software to protect against firmware-based attacks, said the following BIOS and hardware vendors are affected:
- ASUSTeK Computer
- ATI Technologies (AMD)
- Micro-Star International (MSI)
- Phoenix Technologies
- Realtek Semiconductor
CRN has reached out to several impacted vendors for comment.
An Intel spokesperson said the company issued a security advisory for the vulnerability in its Intel Processor Diagnostic Tool on July 9, which recommended users to update the software to a newer version.
However, Eclypsium's disclosure appeared to be news to AMD. A company spokesperson said the chipmaker "was made aware of potential industry-wide, driver-related vulnerabilities" when the security firm published its blog post over the weekend.
AMD said it's actively investigating the issue and will provide further updates on its security website as needed.
"At AMD, security is a top priority. Through our ongoing work with researchers and the entire computing ecosystem, we are committed to identifying and, as appropriate, mitigating newly discovered potential risks," the company said.
Eclypsium said it has withheld the names of some affected vendors who are "still under embargo due to their work and highly regulated environments." Those vendors "will take longer to have a fix certified to deploy to customers, "the firm added.
Eclypsium said the vulnerable drivers "can make it increasingly challenging to secure the firmware attack surface,” especially since there is no universal mechanism available to prevent bad drivers from being loaded. This creates an opening for attackers, the firm said, giving them the ability to potentially render devices unusable or collect data from devices for years, even after the data has been erased.
The firm recommends organizations run continuous scans for outdated firmware on their systems and update to the most recent device drivers when they become available from vendors. Organizations should also monitor and test firmware integrity to track unapproved or unexpected changes. In addition, organizations using Windows Pro, Windows Enterprise and Windows Server can implement group policies and other features to offer some protection to a subset of users.
How The Vulnerabilities Work
The "Screwed Drivers" vulnerabilities work by using the driver as a proxy to gain highly privileged access to several hardware resources, including read and write access in the processor and chipset I/O, Model Specific Registers, Control Registers, Debug Registers, physical memory and kernel virtual memory, Eclypsium said.
Attackers can initially gain access by using malware to scan for vulnerable drivers. Once found, they can receive access to OS kernel mode, the most privileged access available to the operating system, and potentially even hardware and firmware interfaces, including the system BIOS.
This can allow attackers to install malware directly on device firmware, giving malicious software the ability to remain on the device, even after the operating system has been reinstalled — a capability that has already been demonstrated by a strain of malware called LoJax, according to Eclypsium.
"The problem extends to device components, in addition to the system firmware. Some vulnerable drivers interact with graphics cards, network adapters, hard drives, and other devices. Persistent malware inside these devices could read, write, or redirect data stored, displayed or sent over the network," Eclypsium wrote in its blog post.
What's more, an attacker could disable these components with a ransomware or denial-of-service attack, the firm added.
Additional reporting by Steve Burke.