Researchers from VMware Carbon Black have unearthed a concerning revelation — 34 unique Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers are susceptible to exploitation by non-privileged threat actors. The repercussions are dire, allowing malevolent entities to seize complete control of devices and execute arbitrary code on the underlying systems.
Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, sheds light on the severity of the situation. “By exploiting the drivers, an attacker without privilege may erase/alter firmware and/or elevate [operating system] privileges,” he warns, underlining the potential for substantial damage.
This research builds upon earlier studies like ScrewedDrivers and POPKORN, which employed symbolic execution to automate the discovery of vulnerable drivers. The focus here is on drivers that boast firmware access through port I/O and memory-mapped I/O, amplifying the scope of exploitation.
CVE-2023-20598: Identifying the Culprits
The list of vulnerable drivers reads like a cybersecurity watchlist. Some of the noteworthy entries include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841). These drivers, once compromised, open the gateway for unauthorized access and manipulation of critical system components.
The implications of these vulnerabilities, including CVE-2023-20598, are profound. Six out of the 34 drivers grant kernel memory access, providing an avenue for attackers to elevate privileges and overcome security solutions. In addition, a dozen drivers can be exploited to subvert security mechanisms, including kernel address space layout randomization (KASLR), a crucial defense layer.
Seven drivers, such as Intel’s stdcdrv64.sys, present a more ominous threat—they allow the erasure of firmware in the SPI flash memory, rendering the entire system unbootable. Intel has responded promptly by issuing a fix to address this critical issue.
Beyond the immediate vulnerabilities lies a sophisticated technique known as Bring Your Own Vulnerable Driver (BYOVD). VMware identified WDF drivers, such as WDTKernel.sys and H2OFFT64.sys, which, while not inherently vulnerable in terms of access control, can be weaponized by privileged threat actors. This tactic has been employed by notorious groups, including the North Korea-linked Lazarus Group, to gain elevated privileges and disable security software, effectively evading detection.
“The current scope of the APIs/instructions targeted by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is narrow and only limited to firmware access,” warns Haruyama. However, the malleability of this technique makes it easy to extend the code to cover other attack vectors, such as terminating arbitrary processes.
Conclusion
As the digital landscape becomes increasingly complex, the discovery of these vulnerable drivers underscores the perpetual cat-and-mouse game between cybersecurity experts and threat actors. Timely patches, heightened awareness, and a proactive approach to system security are essential to thwart potential threats. The onus is on the industry to collaborate, innovate, and stay one step ahead in the ongoing battle for a secure digital future.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: