Sunday, August 11th 2019

Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

Cybersecurity research firm Eclypsium published a report titled "Screwed Drivers," chronicling a critical flaw in the design of modern device driver software from over 40 hardware manufacturers, which allows malware to gain privilege from Ring 3 to Ring 0 (unrestricted hardware access). The long list of manufacturers publishing drivers that are fully signed and approved by Microsoft under its WHQL program, includes big names such as Intel, AMD, NVIDIA, AMI, Phoenix, ASUS, Toshiba, SuperMicro, GIGABYTE, MSI, and EVGA. Many of the latter few names are motherboard manufacturers who design hardware monitoring and overclocking applications that install kernel-mode drivers into Windows for Ring-0 hardware-access.

As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.
Source: Eclypsium
Add your own comment

43 Comments on Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

#2
FinneousPJ
I wonder if Linux drivers are affected
Posted on Reply
#3
windwhirl
I remember someone from MS (or some book about Windows, my memory is kinda foggy right now) saying that Windows only uses two privilege levels, Ring 3 and 0, because some other CPU arch, which MS planned compatibility with in NT 3.x/4.0 times, only had those two... I wonder if that decision isn't coming back to bite them in the butt after all.
Posted on Reply
#4
birdie
FinneousPJ, post: 4096339, member: 189294"
I wonder if Linux drivers are affected
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.
Posted on Reply
#5
micropage7
LoJax (first UEFI malware) can rewrite UEFI? never thought that malware can rewrite in BIOS level
Posted on Reply
#6
TheGuruStud
Microsoft driver signing is a joke and doesn't even work, anyway. Blame them. You could patch every driver with malware and no one would be the wiser.
Posted on Reply
#7
Smartcom5
micropage7, post: 4096353, member: 82848"
LoJax (first UEFI malware) can rewrite UEFI? never thought that malware can rewrite in BIOS level
Sometimes the malware actually sits at BIOS-level, while pretending to be some UEFI in the first place.

Smartcom
Posted on Reply
#8
lynx29
birdie, post: 4096349, member: 131299"
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.
Very nice, I was planning to move to Linux Mint XFCE as a large number of the games I want to play work natively on Linux now, and Freesync also apparently works on Linux now.
Posted on Reply
#10
Aquinus
Resident Wat-man


In all seriousness, anything that runs with elevated privileges at any point could theoretically be a vector for attack, even in Linux. The difference is how drivers in Linux are delivered versus on Windows.
Posted on Reply
#11
Fluffmeister
zlobby, post: 4096389, member: 172939"
Not great, not terrible.
Man, loved that show!
Posted on Reply
#12
Vayra86
So it got discovered before major abuse occurred and now we get a fix.

Problem is being solved... next! :)
Posted on Reply
#13
HTC
Vayra86, post: 4096413, member: 152404"
So it got discovered before major abuse occurred and now we get a fix.

Problem is being solved... next! :)
And you know this ... how exactly?

For all we know, it could have been used repeatedly without anyone figuring out this was the cause. Now that it's known, developers involved can figure out ways to patch it, but before ... your guess is as good as mine.
Posted on Reply
#14
Vayra86
HTC, post: 4096427, member: 51238"
And you know this ... how exactly?

For all we know, it could have been used repeatedly without anyone figuring out this was the cause. Now that it's known, developers involved can figure out ways to patch it, but before ... your guess is as good as mine.
Because the internet would be too small if it did...
Posted on Reply
#15
HTC
Vayra86, post: 4096430, member: 152404"
Because the internet would be too small if it did...
All we would hear was company X was attacked and Y stuff was compromised.

When companies are victim of such breaches, they don't publish how they were attacked, do they?
Posted on Reply
#16
Vayra86
HTC, post: 4096431, member: 51238"
All we would hear was company X was attacked and Y stuff was compromised.

When companies are victim of such breaches, they don't publish how they were attacked, do they?
Yes, they have to because its a data leak and if they don't, they're breaking the law. And if they know about a data leak, steps can be taken to mitigate.
Posted on Reply
#18
R-T-B
birdie, post: 4096349, member: 131299"
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.
UEFI malware is however OS independent, and could operate in any OS theoretically.
Posted on Reply
#19
BoMbY
This is not a driver problem. How should anyone prevent any software from accessing their driver, if Windows offers no way for doing so?
Posted on Reply
#20
moproblems99
This is a Microsoft problem more than the other 40 companies.
Posted on Reply
#21
R-T-B
BoMbY, post: 4096435, member: 163247"
How should anyone prevent any software from accessing their driver, if Windows offers no way for doing so?
A driver like the above should never have been signed in the first place.

Drivers with obvious priviledge escalation issues should not be signed either.

More often than not they are though, that is only half the issue though. There are aparently priviledge escalation means via signed drivers to bypass driver signing entirely.

tl;dr: The entire system is a lousy, broken mess, and it mostly originates in Microsoft policy.

Vayra86, post: 4096413, member: 152404"
So it got discovered before major abuse occurred and now we get a fix.

Problem is being solved... next! :)
Depends on your definition of "Major."

I've seen it used.

The biggest lesson from this is even nonadmin code run on your machine is now very dangerous. Honestly, you should always think this way and only run trusted code, but reality makes that hard.
Posted on Reply
#22
HTC
Vayra86, post: 4096432, member: 152404"
Yes, they have to because its a data leak and if they don't, they're breaking the law. And if they know about a data leak, steps can be taken to mitigate.
To authorities yes, but not to the general public, and that's if / when company X discloses it was hacked.

General pubic may have been a target in the meanwhile in order for the hackers to "hone the hack" and, most likely, those affected individuals were never able to figure out how they got attacked.
Posted on Reply
#23
BoMbY
R-T-B, post: 4096437, member: 41983"
A driver like the above should never have been signed in the first place.
Everyone can sign drivers, if they buy a driver signing certificate. The problem is Windows is not offering per-application rights to access privileged resources, like on Android for example. The first time you start an application, Windows should ask you to allow the access to drivers/hardware, and give you the option to remove the rights later.
Posted on Reply
#24
R-T-B
BoMbY, post: 4096448, member: 163247"
Everyone can sign drivers, if they buy a driver signing certificate.
Wrong. You need to go through WHQL before you can sign a kernel mode driver (the kind we are talking about). You furthermore need an EV-signing cert which requires you to run every signing by MS (as well as register your business with MS for blame reasons when something goes wrong).

I know, because I just failed to go through this wringer attempting to sign the open source driver for vjoy. I was refused due to not being a full business license grade business.

google "R-T-B vjoy 1903" and you can see my proof.

The weak points in this otherwise strong system is next to no code inspection and a total lack of use of cert revocation.

BoMbY, post: 4096448, member: 163247"
The problem is Windows is not offering per-application rights to access privileged resources,
The thing is that unprivileged accesses can be escalated. Thus your system would do nothing for this issue.
Posted on Reply
Add your own comment