Vulnerabilities Found in Dozens of Signed, Certified Device Drivers from Major Vendors

Tsing

The FPS Review
Staff member
Joined
May 6, 2019
Messages
871
Points
43
"Signed and certified does not mean safe." Security researcher Eclypsium has discovered that more than 40 drivers from hardware giants (e.g., ASUS, Huawei, NVIDIA, and Toshiba) are tainted with vulnerabilities that could allow read/write access to the Windows kernel. These were not only approved by third-party vendors, but Microsoft as well.

List of Affected Vendors
  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • GIGABYTE
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • NVIDIA
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba
A vulnerable driver installed on a machine could allow an application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver. In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware.
 

Nanobot

Slightly less n00b
Joined
May 27, 2019
Messages
102
Points
28
Not that these companies have ever given a shit about it's users, but I think we might have reached the point where they really dgaf if people know just how much they dgaf.
 

Grimlakin

Quasi-regular
Joined
Jun 24, 2019
Messages
376
Points
43
Folks we can't be really surprised by this. In the name of speed and easy of design and efficiency. Driver makers, hardware makers, and OS vendors have had to speed up everything about how they validate and test. We can operate one of two ways.

1. Everything is checked for security before being allowed to be distributed. The checks are thorough and in depth and can find previously unknown vulnerabilities. (Nobody really does this OTHER than SOME security companies.)

2. Everything is checked for security before being allowed to be distributed. The checks are for all known vulnerabilities based on a sliding date with a 1-3 month update cycle for pulling in new vulnerabilities and retiring old. (this is pretty much anyone in the server hardware/software space that wants a good reputation. With the exception of like... intel? )

3. Things are checked and reviewed against a pre published check list of no no issues. Beyond that the compiler is verified to do specific check types and specific code options are verified. As long as things are being done with appropriate API calls all is assumed safe. (what we have today for the consumer space really.)


So we have to ask ourselves where does the problem here actually exist?

1. Microsoft took the hardware interface and Kernel interface AWAY from all of the vendors making drivers and built it into API calls. This does make it so we need far fewer reboots and such when doing updates. But it also means that if the API has a vulnerability then everything that calls that API also has the exact same vulnerability (based on this article.).

2. Vendors are using custom tools to bypass some API checks and in so doing are creating these vulnerabilities in the system?

Honestly I see number 1 being a issue in the majority of cases and 2 being a problem faced on a smaller scale by programmers who thought they were more talented than they are.

Your thoughts and ideas?
 
Become a Patron!
Top