Researchers Describe Significant Flaw in Intel's PMx DriverIntel Has Fixed Vulnerability That Allows for 'Near-Omnipotent Control' of Device
Researchers with cybersecurity firm Eclypsium are following up their report from August about vulnerable device drivers with new details concerning a significant flaw in Intel's PMx driver, which they say could give attackers "near-omnipotent" control over devices.
Intel has released an updated version of its PMx driver, an important step in mitigating risks. Organizations now need to implement the updated driver to eliminate the vulnerabilities.
In a new report released Tuesday, the researchers outline the flaw in Intel's PMx drivers.
Because these Intel drivers have been used in Windows devices since the late 1990s, the flaw could have left millions of devices susceptible to an attack, researchers say. It's not clear, however, if threat actors have taken advantage of this vulnerability, despite the flaw being exposed for such a long time.
Eclypsium's research so far has focused on drivers that enable users to modify either the Windows kernel or the firmware in the device itself.
"Abuse of such capability can enable an attacker to gain incredible privileges over a machine while also avoiding traditional security controls," the report states.
A key problem is that "these drivers are valid tools released by vendors to help manage or update devices, and as such were properly signed and would be trusted on almost any machine. Worse still, there is no universal mechanism to prevent a Microsoft OS from loading one of these bad drivers," the researchers write.
Intel's PMx Driver
In their earlier report presented at the DEF CON show, Eclypsium researchers identified a number of drivers with design flaws, naming 17 of the vendors that were affected by the drivers. The vendors were given 90 days to address the security issues before the report was issued.
Intel fixed two of issues involving the Intel Processor Identification Utility and Intel Computing Improvement Program days after Eclypsium's presentation at DEF CON. Those updates were made public Aug. 13.
The Eclypsium researchers, however, delayed announcing the flaw in Intel's PMx driver until Intel could resolve the issue. The driver has a broad range of abilities, including read/write to physical memory and to Model Specific Registers as well as arbitrarily gaining I/O or PCI access.
Through the flaw in the driver, bad actors could obtain "near-omnipotent control over a victim device," the researchers note.
After working with Eclypsium researches, Intel on Aug. 13 released updated versions of pmxdrvx64.sys and pmxdrv.sys to mitigate the vulnerability. Organizations can mitigate the security problems by installing these updated drivers.
The widely used PMx driver is a key part of many toolsets dating to 1999 that's related to Intel Management Engine and BIOS technologies. Adding to the problem is that the vulnerable driver is included in the tool Intel released to address a recent vulnerability in Intel's AMTs. Intel also uses the driver for its Flash Programming Tool for OEMs and customers that want to update Intel-based BIOS.
"This makes the Intel PMx/PMxDrv one of the most capable, feature-rich, and most common drivers we have seen to date," the report says.
Most of the flaws in drivers from various companies studied by Eclypsium can be exploited by unprivileged users who attack the running kernel or modify the firmware of a device. That said, some drivers can only be used with administrator privileges. Drivers within Windows include security boundaries between an admin process and a kernel driver, what the OS maker calls a "noteworthy trust boundary."
Processes running in userspace with admin privileges are treated the same as the Windows kernel, with no security boundary, which creates flaws, the researchers say.
"Although the administrator has control of the device, there are many security-sensitive operations that are additionally restricted even from the administrator," the report states. "Once Secure Boot is enabled, a reboot and a process intended to verify physical presence should be required to disable it. Likewise, the administrator cannot load unsigned kernel modules without rebooting and performing physically present operations during the boot process. There are many security controls which cannot be disabled at runtime without a reboot."
The researchers say a security hole is created when a compromised admin process to read and write kernel memory is allowed, enabling attacks against the kernel. While not using these specific Intel drivers, the Lojax and Slingshot advanced persistent threat campaigns both exploited similar vulnerabilities, Jesse Michael, principal researcher at Eclypsium, tells Information Security Media Group.
In their previous report, the researchers noted a vulnerability called WinRing0 and referred to an analysis by their counterparts at SafeBreach of an attack on HP Touchpoint Analytics, which uses the driver that is included in OEM-installed software. Safebreach showed how the driver can be used in a number of ways by hackers to, among other things, bypass application whitelisting, signature validation and driver signature enforcement.
Threats Posed by Vulnerable Drivers
Eclypsium's Michael says the company's research into vulnerable drivers is continuing, noting that some of the impacted vendors - given their work in highly regulated areas - remain under embargo and will take longer to have a fix certified. "These types of vulnerabilities are not the initial entry point into a system or network, but allow privilege escalation and persistence at a deeper level than application-level vulnerabilities we usually see," he says.
The company's research should sound alarms among security vendors and end users alike, says to Nathan Einwechter, director of security research at cybersecurity company Vectra. Drivers with known vulnerabilities can be patched and the threat mitigated, Einwechter says.
"What this research really tells me is that third-party drivers as a category have a high potential for exploitation," he says. "This is a particularly interesting observation for targeted attackers looking to find unique new exploits for a particular target. What those attackers choose to do with a particular vulnerability is dependent on their own goals. For some this will be IP theft, for others it will be ransomware. Vulnerabilities like this are really just an enabler of the broader attack goals of an attacker."
While organizations need to patch known vulnerable drivers, an equally important step is to inventory the drivers within their environments - similar to what is done with software generally - and reduce the number of drivers used, Einwechter says. This will shrink the attack surface.
"Vulnerable drivers are an effective privilege escalation technique due to the elevated level of access they have," Richard Gold, head of security engineering at cybersecurity firm Digital Shadows, tells ISMG. "The biggest danger from vulnerable drivers is their ability to allow attackers to escalate their privileges from being a standard user to being a super-user who is able to have full control of a machine. This privilege elevation can be used in conjunction with other attacker tools to result in full system compromise. This could result in the theft or destruction of any data on the system."