Table of Contents
Vulnerable Kernel Drivers Discovered by VMware’s Threat Analysis Unit
Researchers within VMware's Threat Analysis Unit (TAU) have recently uncovered a cause for concern with potentially vulnerable kernel drivers. These driver vulnerabilities could allow for a range of potential exploits by cybercriminals, including the manipulation of system processes, holding persistence within a system, evading security products, and even altering the device's firmware. The research project embarked upon by the TAU involved a large scale sampling of Windows' drivers with the ambition of identifying any possible weak points.
Identification of Dozens of Unknown Vulnerable Kernel Drivers
After collecting and analyzing around 18,000 samples of Windows driver technology from VirusTotal, the researchers discovered several previously unknown vulnerable drivers. Out of the 18,000 samples, hundreds of file hashes were identified as being potentially exploitable. Related to 34 unique drivers, these vulnerabilities were not previously known and represent a new realm of potential risk. Drivers associated with major BIOS, PC, and chip-making producers were among those flagged as being potentially vulnerable.
Potential for Exploitation by Attackers for Firmware Alteration and Privilege Escalation
The presence of these vulnerabilities within kernel drivers could lead to significant threats for users, as they could potentially be exploited by attackers. This exploitation could enable cybercriminals to manipulate systems, maintain a persistent presence within a device, evade detection from security programs, and even alter a device's firmware. This potential ability would enable attackers to gain full control of the targeted device even from non-system privilege levels.
Collection of Around 18,000 Windows Driver Samples for Analysis
VMware's TAU demonstrated significant diligence in their research, collecting roughly 18,000 Windows driver samples for examination. Using a Yara rule, the samples were analyzed and known vulnerabilities were excluded from consideration. This left a substantial number of drivers that could contain previously unknown vulnerabilities, all of which were subsequently examined to ensure no potential threats were overlooked.
Identified Vulnerable Drivers and Their Impact
The research undertaken by VMware's Threat Analysis Unit led to the identification of 34 unique, and previously unknown, vulnerable kernel drivers. These drivers pose a considerable security risk as their exploitation could enable attackers to gain complete control of the targeted devices. Furthermore, these vulnerabilities may also allow for the alteration or erasure of the device's firmware, and the elevation of the attacker's privileges.
34 Unique, Previously Unknown Vulnerable Drivers Identified
VMware's analysis of approximately 18,000 Windows driver samples led to the discovery of 34 unique drivers that were previously unaccounted for, which contained several exploit opportunities. A few hundred file hashes associated with vulnerable drivers were identified, leaving users potentially exposed to threats that were not previously considered. The drivers belonged to significant producers in the tech industry such as PC, BIOS, and chip manufacturers, underlining the widespread potential implications of this discovery.
Potential for Full Control of Targeted Device by Attackers
Each of these identified drivers harbors the frightening potential to allow attackers with non-system privileges to achieve full control over the targeted device. By exploiting these vulnerable drivers, cybercriminals can potentially manipulate the system processes of the device, persist within the system unnoticed, and even evade security applications. The implications of these findings cannot be overstated when considering the possible harm that could occur if these vulnerabilities are exploited.
Possibility for Firmware Alteration/Erasure and Privilege Elevation
The vulnerabilities identified within these drivers could allow for a range of malicious activities to occur. Along with offering full control of the device to the attacker, these drivers could potentially enable the alteration or erasure of the device's firmware - which could lead to a total system compromise. In addition, the exploitation could also lead to the elevation of privileges for the attackers, providing them with unrestricted access and control over the device and its system processes, leading to far-reaching security implications.
Responses from Developers and Preventive Actions from VMware
The process of resolving these identified vulnerabilities has posed a significant challenge, not least because of the low response rate from the developers of the vulnerable drivers. Against this backdrop, VMware has pioneered measures to rectify the situation by developing proof-of-concept exploits for some vulnerable drivers, in addition to releasing an IDAPython script to ease the identification of other potentially vulnerable drivers.
Low Response Rate from Developers of the Vulnerable Drivers
Upon the identification of the vulnerable drivers, developers were informed about the situation in the spring of 2023. However, the response from these identified developers has been underwhelming. According to VMware, just two companies - Phoenix Technologies and Advanced Micro Devices - have taken the necessary steps to address and fix the vulnerabilities within their drivers. This lack of response from other developers to this identified security concern is indeed disconcerting.
Development of Proof-of-Concept Exploits by VMware for Several Vulnerable Drivers
VMware has taken proactive measures to expose the potential danger of these vulnerabilities by developing proof-of-concept exploits for several of the vulnerable drivers. These real-world examples are designed to demonstrate how cybercriminals might exploit these drivers, thereby providing valuable insights into how best to mitigate against these security risks. Through these demonstrations, VMware is able to show vividly how these vulnerabilities can be exploited for the erasure of firmware or the escalation of privileges.
Release of an IDAPython Script by VMware to Facilitate the Hunt for Vulnerable Drivers
Furthering their preventive efforts, VMware has also made available an IDAPython script to facilitate the hunt for other potentially vulnerable drivers. This tool is designed to automate the identification process of these vulnerabilities within the Windows Driver Model (WDM) and Windows Driver Framework (WDF) drivers. By doing so, VMware is enabling a more streamlined process of identifying and, ultimately, addressing the vulnerabilities within these drivers.
Endpoint Security Issues and Further Developments
VMware's discovery of these vulnerable kernel drivers has deep consequences for endpoint security, underlining the need for renewed vigor in providing robust protection for devices. These vulnerabilities also bring to light how cybersecurity must rapidly evolve to deal with emerging threats. In this context, VMware's public release of a list of problematic driver file names represents a critical resource in combating these threats.
Published List of Problematic Driver File Names by VMware
In the wake of their discovery, VMware has published a list of the file names associated with the problematic drivers. This information would be a significant asset to device security, as it allows development and security teams to identify and target the specific drivers that are vulnerable. By making this information publicly available, VMware has made a critical contribution to the collective efforts to mitigate the risks posed by these vulnerabilities.
Increasing Importance of Endpoint Resilience
As originations increasingly rely on device drivers from legacy hardware or deprecated items, the identified vulnerabilities in kernel drivers bring to the fore the importance of endpoint resilience. These driver vulnerabilities necessitate enhanced protection mechanisms for devices, as even non-admin users could gain full control of these devices. The rise of this unique attack vector calls for the adoption of stringent endpoint security measures, particularly as threat actors could disable security software functions or install bootkits using known vulnerable drivers.
The Evolution and Challenges of Cybersecurity in the Context of These Discoveries
The dynamic nature of cybersecurity is further emphasized by these recent discoveries. Specifically, the cybersecurity terrain has always been marked by the constant evolution of threats and vulnerabilities, to which solutions must rapidly adapt. In this sense, VMware's uncovering of these problematic kernel drivers sheds light on the circus of threat identification, vulnerability assessment and management, and solution implementation that shapes cybersecurity. While some developers have begun to address these vulnerabilities, the lackluster response from others suggests that more effort is needed to push for immediate and comprehensive solutions.
