'Screwed Drivers': Driver Vulnerabilities Affect Intel, AMD, Other Vendors

These newly disclosed vulnerabilities can allow attackers to install malware directly on device firmware, giving malicious software the ability to remain on the device, even after the operating system has been reinstalled, according to Intel-backed security startup Eclypsium.

Vulnerabilities found in drivers released by Intel, AMD, Nvidia and several other vendors can potentially give bad actors full control of Windows-based computers and their underlying firmware, even after the operating system is reinstalled, according to new research from an Intel-backed security firm.

Eclypsium, a Portland, Ore.-based security startup backed by Intel Capital and Andreessen Horowitz, disclosed the vulnerabilities, collectively dubbed "Screwed Drivers," on Saturday, saying that more than 40 drivers from at least 20 different vendors are impacted.

[Related: New Intel Side-Channel Vulnerability Puts Sensitive Data At Risk: Bitdefender]

The firm said the vulnerabilities, which impact all modern versions of Windows, highlight a "fundamental issue" with Microsoft's driver certification process since all impacted drivers have been certified by the Redmond, Wash.-based company.

"Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers," Eclypsium wrote in a blog post.

Eclypsium, which provides software to protect against firmware-based attacks, said the following BIOS and hardware vendors are affected:

• ASRock
• ASUSTeK Computer
• ATI Technologies (AMD)
• Biostar
• EVGA
• Getac
• GIGABYTE
• Huawei
• Insyde
• Intel
• Micro-Star International (MSI)
• NVIDIA
• Phoenix Technologies
• Realtek Semiconductor
• SuperMicro
• Toshiba

CRN has reached out to several impacted vendors for comment.

An Intel spokesperson said the company issued a security advisory for the vulnerability in its Intel Processor Diagnostic Tool on July 9, which recommended users to update the software to a newer version.

However, Eclypsium's disclosure appeared to be news to AMD. A company spokesperson said the chipmaker "was made aware of potential industry-wide, driver-related vulnerabilities" when the security firm published its blog post over the weekend.

AMD said it's actively investigating the issue and will provide further updates on its security website as needed.

"At AMD, security is a top priority. Through our ongoing work with researchers and the entire computing ecosystem, we are committed to identifying and, as appropriate, mitigating newly discovered potential risks," the company said.

Eclypsium said it has withheld the names of some affected vendors who are "still under embargo due to their work and highly regulated environments." Those vendors "will take longer to have a fix certified to deploy to customers, "the firm added.

Eclypsium said the vulnerable drivers "can make it increasingly challenging to secure the firmware attack surface,” especially since there is no universal mechanism available to prevent bad drivers from being loaded. This creates an opening for attackers, the firm said, giving them the ability to potentially render devices unusable or collect data from devices for years, even after the data has been erased.

The firm recommends organizations run continuous scans for outdated firmware on their systems and update to the most recent device drivers when they become available from vendors. Organizations should also monitor and test firmware integrity to track unapproved or unexpected changes. In addition, organizations using Windows Pro, Windows Enterprise and Windows Server can implement group policies and other features to offer some protection to a subset of users.

How The Vulnerabilities Work

The "Screwed Drivers" vulnerabilities work by using the driver as a proxy to gain highly privileged access to several hardware resources, including read and write access in the processor and chipset I/O, Model Specific Registers, Control Registers, Debug Registers, physical memory and kernel virtual memory, Eclypsium said.

Attackers can initially gain access by using malware to scan for vulnerable drivers. Once found, they can receive access to OS kernel mode, the most privileged access available to the operating system, and potentially even hardware and firmware interfaces, including the system BIOS.

This can allow attackers to install malware directly on device firmware, giving malicious software the ability to remain on the device, even after the operating system has been reinstalled — a capability that has already been demonstrated by a strain of malware called LoJax, according to Eclypsium.

"The problem extends to device components, in addition to the system firmware. Some vulnerable drivers interact with graphics cards, network adapters, hard drives, and other devices. Persistent malware inside these devices could read, write, or redirect data stored, displayed or sent over the network," Eclypsium wrote in its blog post.

What's more, an attacker could disable these components with a ransomware or denial-of-service attack, the firm added.

Vulnerability Management Is 'Foundational Security'

Ben Davis, business manager for Technium, a Southborough, Mass.-based solution security solution provider, which has won acclaim for its Secure Network as a Service (SNaaS) offering, said the driver vulnerability that Eclypsium exposed is part and parcel of Technium’s secure high-performance enterprise network service.

“We do this vulnerability scanning every day to reduce the attack point of our customers,” said Davis. “Vulnerability management is something a lot of companies don’t do well. It is foundational security.”

Davis' advice to customers concerned with the vulnerabilities disclosed by Eclypsium: “Embrace foundational security and cyber-hygiene. Do the basics rather than the shiny new silver bullet.”

Jeremy Louise, vice president of sales and business development for Technical Support International, a Foxborough, Mass.-based security solution provider, said his company will look closely at the vulnerabilities raised by Eclypsium and move to address them.

“This is the kind of service we provide on an ongoing basis to our customers as part of being a proactive service provider,” said Louise, whose company has been supporting IT operations for greater Boston businesses for 30 years.

“With the volatile cybersecurity landscape, it is not about eradicating these risks. It is about mitigating the damage," Louise added. "That is our job: managing the ever-changing, volatile IT landscape for our customers. That is what customers pay us for: to protect them from vulnerabilities like this.”

Louise warned customers not to be overcome by “security fatigue,” which causes customers to throw up their hands and ignore cybersecurity threats.

“Security fatigue is when you are inundated with security threats and you put your head in the sand,” said Louise. “Customers need to make sure they confront not flee from the security threats. It’s a fight or flight scenario. You need to fight.”

Additional reporting by Steve Burke.