A vulnerability affecting a powerful and widely used driver from Intel can give malicious actors deep access to a device, firmware security company Eclypsium warns.
Eclypsium revealed in August that its researchers had identified serious vulnerabilities in more than 40 device drivers from 20 vendors, including AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde, Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba.
The flaws uncovered by the company can be exploited by a piece of malware to escalate privileges to kernel mode, allowing it to gain control over both the operating system and hardware and firmware interfaces.
Of all the vendors notified by Eclypsium until August, only Intel and Huawei released patches and advisories, and Phoenix and Insyde provided fixes to their OEM customers.
Eclypsium now says Intel this week also released patches for a vulnerability in its PMx Driver (PMxDrv). The security flaw affecting the PMx driver poses a serious risk due to the fact that the driver can read and write to physical memory, to model specific registers, control registers, IDT and GDT descriptor tables, and to debug registers. The driver can also gain I/O and PCI access.
“This level of access can provide an attacker with near-omnipotent control over a victim device,” Eclypsium warned in a blog post published on Tuesday.
The PMx driver, Eclypsium says, is “one of the most capable, feature-rich, and most common drivers we have seen to date.” The company explained that the driver is delivered by Intel with a tool provided to OEM vendors and their customers for updating a device’s BIOS, and it was also provided to customers as part of a toolset released in response to the discovery of some vulnerabilities in Intel technology.
One way to prevent attacks exploiting these types of vulnerabilities involves the use of Microsoft’s hypervisor-protected code integrity (HVCI) technology, which should protect the operating system kernel. However, the technology only works with newer processors.
Eclypsium says the best option for preventing attacks involves blocking or blacklisting problematic drivers. For example, Insyde, one of the companies whose drivers were found to be vulnerable, reached out to Microsoft and asked the tech giant to block affected versions of the driver via Windows Defender. According to Eclypsium, Insyde is the only vendor to have taken this step.