Over 40 manufacturers at risk of privilege escalation attacks

Drivers Vulnerable to Privilege Escalation Attacks

The cybersecurity company released a couple of days ago 'Screwed Drivers' , a report that has been echoed in the community.

In it, Eclypsium pointed out some critical weaknesses in the design of drivers for modern devices.

They say the flaw could be exploited to the point of giving attackers privileges from Ring 3 to Ring 0 , that is, full privileges. In addition to this, it is estimated that more than 40 manufacturers would be at risk among which we find Intel, Nvidia, ASUS or AMD .

In their study, Eclypsium classified three different classes of privilege escalation attacks that take advantage of controllers:

RWEverything (Read / Write All): Utility to access all hardware interfaces via software. It seems harmless but with a signed RWDrv.sys kernel-mode driver it can offer Ring 0 privileges to any malware. LoJax (the first malware for UEFI): LoJax is a tool that uses RWDrv.sys to gain access to the SPI Flash driver. Thanks to this, the configuration of the UEFI BIOS can be changed at will. SlingShot (Honda): The Slingshot attack is an APT (Persistent Advanced Threat) that uses its own malicious drivers to exploit others. Use the MSR read / write to bypass security and install a rootkit on the machine.

However, the core of the problems is the protocol that Windows uses to validate and use drivers. Apparently, even if a controller has an incomplete, obsolete or expired certificate, it is often used anyway. As you will understand, this is fatal if it is exploited and the same cybersecurity firm has explained it in its presentation of DEF CON 27 .

Eclypsium is currently working with many of the at-risk companies to address these failures.

And you, what do you think about the state of the PC ? Do you think we are better or worse than 15 years ago? Share your ideas below.

TechPowerUp Font