In a significant revelation, security experts have uncovered a substantial number of Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers with potential vulnerabilities that could be exploited by malicious actors. These drivers, if compromised, could enable attackers without privileged access to take control of devices and execute unauthorized code on affected systems. In this blog, we’ll delve into the details of WDM and WDF models vulnerable, exploring the potential risks and how to mitigate them.
Security researcher Takahiro Haruyama of VMware Carbon Black has brought to light a critical concern. The security researchers have uncovered a critical vulnerability leading to potential device takeover in various systems. By exploiting these vulnerable drivers, attackers may gain unauthorized access to the firmware and elevate their privileges within the operating system. This alarming discovery builds upon earlier studies, including ScrewedDrivers and POPKORN, which employed symbolic execution to systematically identify weak points in drivers.
The security experts have identified a significant threat, where attackers can achieve a full device compromise, potentially putting sensitive data at risk. The research primarily focused on drivers that provide firmware access through port I/O and memory-mapped I/O. Out of the 34 identified vulnerable drivers, some notable ones include:
Of particular concern is that six of the identified drivers grant kernel memory access. This means that attackers could elevate their privileges, bypass security solutions, and potentially subvert security mechanisms like kernel address space layout randomization (KASLR). This makes the vulnerabilities more than just theoretical.
What’s even more concerning is that seven of the identified drivers, including Intel’s stdcdrv64.sys, can be utilized to erase firmware stored in the SPI flash memory. Such an action can render the entire system unbootable, posing a significant risk to user data and system functionality. Thankfully, Intel has already released a fix to address this issue.
Not limited to WDM drivers, certain WDF drivers, like WDTKernel.sys and H2OFFT64.sys, though not inherently vulnerable in terms of access control, could be weaponized by privileged threat actors. They can exploit these drivers to execute a “Bring Your Own Vulnerable Driver” (BYOVD) attack. Malicious groups, including the Lazarus Group, linked to North Korea, have been observed using this technique to gain elevated privileges, disable security software on compromised endpoints, and avoid detection.
Takahiro Haruyama emphasizes that while the current research primarily focuses on firmware access, the analysis could easily be expanded to cover other attack vectors. For example, it could be extended to terminate arbitrary processes. This underscores the dynamic nature of driver vulnerabilities, which necessitates constant vigilance to maintain security.
Understanding the potential risks posed by these vulnerable drivers is essential for safeguarding yourself against network device vulnerabilities. Here are some steps you can take for the protection of your systems:
In conclusion, the discovery of vulnerable WDM and WDF models is a stark reminder of the ever-evolving threat landscape. Protecting your devices from potential threats requires a proactive and vigilant approach. By staying informed, updating your drivers, and implementing security solutions, you can reduce the risk of your devices falling victim to these security vulnerabilities. Remember, your device’s security is in your hands, so take the necessary steps to keep it protected.
The sources for this piece include articles in The Hacker News and IS.PAGE.
The post 34 WDM And WDF Models Vulnerable: Protect Your Devices appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/34-wdm-and-wdf-models-vulnerable/