A total of 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers have been discovered [1] [2] [3] [5] [6], posing a potential risk for exploitation. These drivers [1] [2] [3] [5] [6], including those from leading manufacturers of BIOS [4], PC [4], and chips [3] [4], could be used by non-privileged threat actors to gain full control of devices and execute arbitrary code [2] [3] [5] [6]. Exploiting these drivers could result in firmware erasure or alteration [3], as well as the elevation of operating system privileges [3].
Description
Among the vulnerable drivers are AODDriver.sys [1] [2] [3], ComputerZ.sys [1] [2] [3], dellbios.sys [1] [2] [3], GEDevDrv.sys [1] [2] [3], GtcKmdfBs.sys [1] [2] [3], IoAccess.sys [1] [2] [3], kerneld.amd64 [1] [2] [3], ngiodriver.sys [1] [2] [3], nvoclock.sys [1] [2] [3], PDFWKRNL.sys (CVE-2023-20598) [2] [3], RadHwMgr.sys [1] [2] [3], rtif.sys [1] [2] [3], rtport.sys [1] [2] [3], stdcdrv64.sys [1] [2] [3], and TdkLib64.sys (CVE-2023-35841) [2] [3]. Six of these drivers allow access to kernel memory [1], enabling privilege elevation and bypassing security solutions. Additionally, twelve drivers can be used to subvert security mechanisms like kernel address space layout randomization (KASLR) [3].
Furthermore, seven drivers [1] [2] [3], including Intel’s stdcdrv64.sys [1] [3], have the capability to erase firmware in the SPI flash memory, rendering the system unbootable [3]. It is worth noting that VMware has also identified WDF drivers that, although not vulnerable in terms of access control [1] [2] [3], can be easily weaponized by privileged threat actors for a Bring Your Own Vulnerable Driver (BYOVD) attack [2] [3]. This technique has been utilized by various adversaries [2] [3], including the Lazarus Group [2] [3], to gain elevated privileges and disable security software on compromised endpoints [1] [2] [3].
The research initially focused on drivers with firmware access [2] [3], but it has the potential to be extended to cover other attack vectors. Only two developers [4], Phoenix Technologies and Advanced Micro Devices (AMD) [4], have addressed the vulnerabilities after being notified [4]. VMware has developed proof-of-concept exploits and provided a script to automate the search for vulnerable drivers [4].
Conclusion
The discovery of these vulnerable drivers highlights the potential risks posed by non-privileged threat actors. It is crucial for manufacturers and developers to address these vulnerabilities promptly to mitigate the potential for exploitation. Additionally, the identification of WDF drivers that can be weaponized by privileged threat actors emphasizes the need for robust access control measures. Moving forward, it is important to continue researching and addressing vulnerabilities in drivers to enhance overall system security.
References
[1] https://pledgetimes.com/windows-driver-34-drivers-with-vulnerabilities-discovered/
[2] https://www.redpacketsecurity.com/researchers-find-windows-drivers-vulnerable-to-full-device-takeover/
[3] https://thehackernews.com/2023/11/researchers-find-34-windows-drivers.html
[4] https://www.altusintel.com/public-yywm27/
[5] https://cyber.vumetric.com/security-news/2023/11/02/researchers-find-34-windows-drivers-vulnerable-to-full-device-takeover/
[6] https://www.cyberevive.com/2023/11/02/researchers-find-34-windows-drivers-vulnerable-to-full-device-takeover/
