Up to 34 distinct vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers pose a security risk, potentially exploitable by non-privileged threat actors. 

These vulnerabilities could grant such actors full control over devices and enable them to execute arbitrary code within the underlying systems.

A researcher at VMware Carbon Black emphasized that “these drivers can be leveraged by attackers lacking privilege, allowing them to manipulate firmware or escalate operating system privileges.”

What Are the Details About the Findings?

This research builds upon prior studies like ScrewedDrivers and POPKORN, both of which employed symbolic execution to automate the identification of vulnerable drivers. 

The current investigation primarily targets drivers with firmware access via port I/O and memory-mapped I/O.

Among the drivers susceptible to exploitation are 

• AODDriver.sys,
• ComputerZ.sys,
• dellbios.sys,
• GEDevDrv.sys,
• GtcKmdfBs.sys,
• IoAccess.sys,
• kerneld.amd64,
• ngiodriver.sys,
• nvoclock.sys,
• PDFWKRNL.sys (CVE-2023-20598),
• RadHwMgr.sys,
• rtif.sys,
• rtport.sys,
• stdcdrv64.sys, and
• TdkLib64.sys (CVE-2023-35841).

Do They Just Sound Malicious?

• Out of these 34 drivers, six grant access to kernel memory, potentially permitting privilege escalation and circumventing security measures.
• Twelve drivers could be exploited to undermine security mechanisms, including kernel address space layout randomization (KASLR).
• Seven drivers, such as Intel’s stdcdrv64.sys, can erase firmware in the SPI flash memory, rendering the system unable to boot. Intel has already released a fix for this issue.

Other Findings by VMware

VMware also identified WDF drivers like WDTKernel.sys and H2OFFT64.sys, which are not initially vulnerable regarding access control. 

However, these can be easily weaponized by privileged threat actors in a technique known as Bring Your Own Vulnerable Driver (BYOVD) attack. 

This approach has been adopted by various threat actors, including the North Korea-linked Lazarus Group, as a means to gain elevated privileges and disable security software on compromised endpoints to evade detection.

Takahiro Haruyama(researcher) explained that: 

“The current focus of the IDAPython script for automating static code analysis of x64 vulnerable drivers is relatively limited, primarily concentrating on firmware access. However, it is easily expandable to encompass other attack vectors, such as the termination of arbitrary processes.”

We Should Learn from Emerging Threats

We anticipate a growing focus on driver security as a critical component of overall system defense. Both manufacturers and users must stay vigilant, implement best practices, and collaborate in the ongoing effort to safeguard devices from evolving threats. 

Integrating advanced security features and real-time monitoring may become more prevalent in future driver development to counter emerging risks effectively.

Leave Comment