Lord777
Professional
- Messages
- 2,576
- Reaction score
- 1,552
- Points
- 113
Only AMD and Phoenix Technologies fixed the vulnerabilities. Other vendors simply ignored the problem.
VMware's Threat Analysis Unit, known as the Threat Analysis Unit (TAU), has identified 34 vulnerable kernel drivers that can be used to modify firmware and increase privilege levels by attackers.
The exploitation of kernel drivers by cybercriminals and government hacking groups is not uncommon. Such drivers can enable attackers to manipulate system processes, maintain stability in the system, and bypass security features.
TAU specialists analyzed about 18,000 samples of Windows drivers collected using the YARA rule from the VirusTotal database. After excluding previously known vulnerable drivers, the team found several hundred file hashes associated with 34 unique, previously unknown vulnerable drivers.
The analysis affected the Windows Driver Model (WDM) and Windows Driver Framework (WDF) drivers, and the company published a list of file names associated with the problematic drivers. Among them there are products from leading manufacturers of BIOS, PC and chips.
Using each of these drivers can allow attackers without system privileges to gain full control over the target device.
"An attacker who does not have system privileges can erase or change the firmware and / or increase privileges by exploiting vulnerable drivers," the VMware blog says.
Developers of vulnerable drivers were notified in the spring of 2023, but only two of them — Phoenix Technologies and Advanced Micro Devices (AMD) - fixed the vulnerabilities.
VMware has developed PoC exploits for several vulnerable drivers to show how they can be used to erase firmware or elevate privileges. The company also provided an IDAPython script that was used to automate the search for vulnerable WDM and WDF drivers.
VMware's Threat Analysis Unit, known as the Threat Analysis Unit (TAU), has identified 34 vulnerable kernel drivers that can be used to modify firmware and increase privilege levels by attackers.
The exploitation of kernel drivers by cybercriminals and government hacking groups is not uncommon. Such drivers can enable attackers to manipulate system processes, maintain stability in the system, and bypass security features.
TAU specialists analyzed about 18,000 samples of Windows drivers collected using the YARA rule from the VirusTotal database. After excluding previously known vulnerable drivers, the team found several hundred file hashes associated with 34 unique, previously unknown vulnerable drivers.
The analysis affected the Windows Driver Model (WDM) and Windows Driver Framework (WDF) drivers, and the company published a list of file names associated with the problematic drivers. Among them there are products from leading manufacturers of BIOS, PC and chips.
Using each of these drivers can allow attackers without system privileges to gain full control over the target device.
"An attacker who does not have system privileges can erase or change the firmware and / or increase privileges by exploiting vulnerable drivers," the VMware blog says.
Developers of vulnerable drivers were notified in the spring of 2023, but only two of them — Phoenix Technologies and Advanced Micro Devices (AMD) - fixed the vulnerabilities.
VMware has developed PoC exploits for several vulnerable drivers to show how they can be used to erase firmware or elevate privileges. The company also provided an IDAPython script that was used to automate the search for vulnerable WDM and WDF drivers.
