Researchers Discover 34 Vulnerable Windows Drivers, Posing a Serious Threat to Device Security
In a recent breakthrough, researchers have identified a staggering 34 unique vulnerable Windows drivers that can be exploited by non-privileged threat actors. These drivers, specifically Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers, grant attackers complete control over devices, allowing them to execute malicious code on underlying systems.
By exploiting these drivers, threat actors can go as far as altering or erasing firmware, ultimately elevating their operating system privileges. This latest research builds upon previous studies, such as ScrewedDrivers and POPKORN, which relied on symbolic execution to automate the discovery of vulnerable drivers. The research project has focused on drivers that possess firmware access through port input/output (I/O) and memory-mapped I/O.
Among the identified vulnerable drivers are AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841).
Out of the 34 drivers, six of them allow access to kernel memory, which presents a serious threat as it can be used to elevate privileges and bypass security solutions. Additionally, twelve of the drivers have capabilities to subvert security mechanisms, including kernel address space layout randomization (KASLR).
Disturbingly, seven of the identified drivers, including Intel’s stdcdrv64.sys, have the potential to erase firmware stored in the SPI flash memory. This renders the affected systems unbootable. Fortunately, Intel has released a fix for this specific vulnerability.
Moreover, researchers also came across WDF drivers like WDTKernel.sys and H2OFFT64.sys that, while not vulnerable in terms of access control, can be effortlessly weaponized by privileged threat actors. They leverage these drivers for a malicious technique known as Bring Your Own Vulnerable Driver (BYOVD) attacks, which enables them to gain elevated privileges and disable security software to avoid detection. Notably, this technique has been employed by various notorious groups, including the infamous Lazarus Group.
It should be noted that this research focuses primarily on firmware access as the current scope. However, researchers suggest that it can be expanded to cover additional attack vectors, such as terminating arbitrary processes. The implications of these vulnerabilities are profound, especially considering the widespread use of Windows drivers in various devices worldwide.
As the findings indicate a significant threat to device security, it is crucial for device manufacturers and users alike to remain vigilant and apply necessary patches and updates promptly. Heightened awareness and a proactive approach to cybersecurity are fundamental in safeguarding systems against potential attacks exploiting these vulnerable Windows drivers.
“Social media scholar. Reader. Zombieaholic. Hardcore music maven. Web fanatic. Coffee practitioner. Explorer.”