November 1, 2023 at 11:46AM
VMware Carbon Black’s Threat Analysis Unit (TAU) found numerous previously unknown vulnerable kernel drivers that could be used by attackers to modify firmware or escalate privileges. After analyzing 18,000 Windows driver samples, TAU identified 34 unique vulnerable drivers, including ones from major BIOS and chip makers. Exploiting these drivers can grant an attacker control over the targeted device. While some developers fixed the vulnerabilities, VMware has developed proof-of-concept exploits to demonstrate the risks. They have also provided an IDAPython script to automate the search for vulnerable drivers.
Key takeaways from the meeting notes:
1. VMware Carbon Black’s Threat Analysis Unit (TAU) has discovered multiple kernel drivers that are vulnerable to exploitation by attackers, enabling them to modify firmware or escalate privileges.
2. Kernel drivers can be misused by threat actors, including cybercriminals and state-sponsored groups, to manipulate system processes, persist on a system, and evade security measures.
3. By collecting Windows driver samples and applying a Yara rule, TAU identified a few hundred file hashes associated with 34 unique vulnerable drivers that were previously unknown.
4. The analysis focused on both Windows Driver Model (WDM) and Windows Driver Framework (WDF) drivers, with a list of file names connected to the problematic drivers being published by VMware.
5. These vulnerable drivers can provide non-system privileged attackers with complete control over the targeted device.
6. Only two of the developers of the vulnerable drivers, Phoenix Technologies and Advanced Micro Devices, have fixed the vulnerabilities after being notified by VMware in spring 2023.
7. VMware has created proof-of-concept (PoC) exploits for several vulnerable drivers to demonstrate how they can be exploited for firmware erasure or privilege escalation.
8. Additionally, an IDAPython script developed by VMware is available to automate the search for vulnerable WDM and WDF drivers.
9. The meeting notes include references to related topics such as backdoored firmware found in US schools and firmware vulnerabilities affecting millions of devices, showing the ongoing concern in this area.