Post by Deleted on Aug 11, 2019 18:49:52 GMT -5
...
In a nutshell, the researcher found a common design flaw within the hardware device drivers from multiple vendors including Huawei, Intel, NVIDIA, Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of hardware vendors affected runs to 20 and includes every major BIOS vendor. The nature of the vulnerability has the potential for the widespread compromise of Windows 10 machines.
...
Certified for trust
The dangerous escalation of privileges problem, giving an attacker read and write access at the same level as the kernel, becomes more problematical when you realize the level of trust that can be exploited here.
These were not "rogue" drivers, but officially sanctioned ones. They were all from trusted vendors, all signed by trusted certificate authorities and all certified by Microsoft.
As the drivers are designed specifically to update firmware, the seriousness of the issue becomes very apparent, very quickly. The flawed drivers not only provide the mechanism to make these changes but also the privileges to do so. If a threat actor can manipulate this combination of bad coding and signed certification, well, the outcome isn't going to look pretty.
The researchers stated that there are "multiple examples of attacks in the wild that take advantage of this class of vulnerable drivers." Examples provided included the Slingshot APT campaign which installs a kernel rootkit and "LoJax malware" that installs malicious code in device firmware that can even survive a full Windows reinstallation.
Has the problem been fixed yet?
Mickey Shkatov, a principal researcher at Eclypsium, told ZDNet that "Some vendors, like Intel and Huawei, have already issued updates." Others, which are independent BIOS vendors, like Phoenix and Insyde, "are releasing their updates to their customer OEMs," Shkatov said.
The Eclypsium research reveals that the security issue applies to "all modern versions of Microsoft Windows," and "there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers." That said, group policies for Windows Enterprise, Pro and Sever could provide a degree of mitigation to "a subset of users," the researchers stated.
The full list of vendors that have issued updates, which you should install as soon as possible, can be found here.
...
In a nutshell, the researcher found a common design flaw within the hardware device drivers from multiple vendors including Huawei, Intel, NVIDIA, Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of hardware vendors affected runs to 20 and includes every major BIOS vendor. The nature of the vulnerability has the potential for the widespread compromise of Windows 10 machines.
...
Certified for trust
The dangerous escalation of privileges problem, giving an attacker read and write access at the same level as the kernel, becomes more problematical when you realize the level of trust that can be exploited here.
These were not "rogue" drivers, but officially sanctioned ones. They were all from trusted vendors, all signed by trusted certificate authorities and all certified by Microsoft.
As the drivers are designed specifically to update firmware, the seriousness of the issue becomes very apparent, very quickly. The flawed drivers not only provide the mechanism to make these changes but also the privileges to do so. If a threat actor can manipulate this combination of bad coding and signed certification, well, the outcome isn't going to look pretty.
The researchers stated that there are "multiple examples of attacks in the wild that take advantage of this class of vulnerable drivers." Examples provided included the Slingshot APT campaign which installs a kernel rootkit and "LoJax malware" that installs malicious code in device firmware that can even survive a full Windows reinstallation.
Has the problem been fixed yet?
Mickey Shkatov, a principal researcher at Eclypsium, told ZDNet that "Some vendors, like Intel and Huawei, have already issued updates." Others, which are independent BIOS vendors, like Phoenix and Insyde, "are releasing their updates to their customer OEMs," Shkatov said.
The Eclypsium research reveals that the security issue applies to "all modern versions of Microsoft Windows," and "there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers." That said, group policies for Windows Enterprise, Pro and Sever could provide a degree of mitigation to "a subset of users," the researchers stated.
The full list of vendors that have issued updates, which you should install as soon as possible, can be found here.
...
"Screwed drivers" list can be found in the link below.
eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/
