A recent revelation by researchers from VMware Carbon Black has sent shockwaves through the cybersecurity community. The discovery reveals that a staggering 34 unique Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers are susceptible to exploitation by non-privileged threat actors. The consequences of these vulnerabilities are severe, as they could potentially allow malicious entities to seize complete control of affected devices and execute arbitrary code on the underlying systems.
Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, has provided valuable insights into the gravity of this situation. He warns, “By exploiting the drivers, an attacker without privilege may erase/alter firmware and/or elevate [operating system] privileges,” highlighting the significant potential for damage.
This latest research builds upon earlier studies like ScrewedDrivers and POPKORN, which employed symbolic execution techniques to automate the discovery of vulnerable drivers. However, the focus here is on drivers that have firmware access through port I/O and memory-mapped I/O, which significantly amplifies the scope of potential exploitation.
Identifying the Vulnerable Drivers (CVE-2023-20598)
The list of vulnerable drivers reads like a cybersecurity watchlist, and some of the noteworthy entries include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841). When these drivers are compromised, they create an entry point for unauthorized access and manipulation of critical system components.
The implications of these vulnerabilities, particularly CVE-2023-20598, are profound. Six out of the 34 drivers discovered provide kernel memory access, which gives attackers an avenue to elevate privileges and circumvent security solutions. Furthermore, a dozen drivers can be exploited to undermine security mechanisms, including kernel address space layout randomization (KASLR), a crucial defense layer.
In particular, seven drivers, such as Intel’s stdcdrv64.sys, present an even more ominous threat. These drivers allow the erasure of firmware in the SPI flash memory, effectively rendering the entire system unbootable. In response to this critical issue, Intel has acted promptly to issue a fix.
Beyond these immediate vulnerabilities, a sophisticated technique known as “Bring Your Own Vulnerable Driver” (BYOVD) has been identified. VMware discovered WDF drivers, such as WDTKernel.sys and H2OFFT64.sys, which, while not inherently vulnerable in terms of access control, can be weaponized by privileged threat actors. Notorious groups, including the North Korea-linked Lazarus Group, have employed this tactic to gain elevated privileges and disable security software, thereby evading detection.
Haruyama warns about the technique’s malleability, stating, “The current scope of the APIs/instructions targeted by the [IDAPython script for automating static code analysis of x64 vulnerable drivers] is narrow and only limited to firmware access.” However, this adaptability makes it relatively easy to extend the code’s reach to cover other attack vectors, including the termination of arbitrary processes.
Troubleshooting Guide: Mitigating Vulnerabilities in Windows Drivers
- Check for Driver Updates: Regularly update your device drivers to ensure you have the latest security patches. Visit the official website of your hardware manufacturer to download and install the most recent driver updates.
- Apply Operating System Updates: Keep your operating system up to date with the latest security updates and patches. These updates often include fixes for known driver vulnerabilities.
- Verify Digital Signatures: Before installing any driver or software, verify that it has a valid digital signature from a reputable source. This helps ensure the authenticity of the software and reduces the risk of installing malicious drivers.
- Disable Unnecessary Drivers: Review your list of installed drivers and disable any that are not in use. This reduces the potential attack surface and minimizes the risk of exploitation.
- Use Enhanced Security Tools: Employ security tools and firewalls to monitor and filter driver-related activities. These tools can help detect and prevent suspicious driver behavior.
- Backup Critical Data: Regularly back up your important data to safeguard against potential damage caused by malicious drivers or system compromise.
- Exercise Caution with Third-Party Drivers: Avoid downloading drivers from unverified or unofficial sources. Stick to reputable sources and official manufacturer websites.
- Implement a Strong Password Policy: Protect your system with strong, unique passwords, and enable multi-factor authentication whenever possible to prevent unauthorized access.
- Educate End Users: If you are responsible for a network or system, ensure that end users are educated about the risks associated with driver vulnerabilities and the importance of keeping drivers and software up to date.
- Incident Response Plan: Develop an incident response plan to address security breaches promptly. This plan should include steps to isolate affected devices, remove malicious drivers, and restore system integrity.
By following these troubleshooting and mitigation steps, you can reduce the risk of falling victim to driver vulnerabilities and enhance the security of your systems and devices.
Conclusion: The Ongoing Battle for a Secure Digital Future
As the digital landscape becomes increasingly complex, the discovery of these vulnerable drivers highlights the ongoing cat-and-mouse game between cybersecurity experts and threat actors. Timely patches, heightened awareness, and a proactive approach to system security are essential to thwart potential threats. The responsibility falls on the industry to collaborate, innovate, and remain one step ahead in the ongoing battle for a secure digital future.
