The analytical department for threats VMware, known as Threat Analysis Unit (TAU), has identified 34 vulnerable nucleus drivers, which can be used to modify the firmware and increase the level of privileges with attacking.
Operation of the core drivers with cybercriminals and state hacker groups is not rare. Such drivers can enable attackers to manipulate system processes, maintain stability in the system and bypass the protective equipment.
TAU experts analyzed about 18,000 Windows drivers collected using the Yara-Ruvil from the Virustotal database. Having excluded already well-known vulnerable drivers, the team discovered several hundred files of files associated with 34 unique, previously unknown drivers.
The analysis affected the Drivers of Windows Driver Model (WDM) and Windows Driver Framework (WDF), and the company published a list of files related to problem drivers. Among them there are products of leading manufacturers of BIOS, PC and chips.
The use of each of these drivers can allow the attackers without system privileges to get full control over the target device.
“An attacker who does not have systemic privileges can erase or change the firmware and/or increase privileges, operating vulnerable drivers,” the VMware blog says.
Developers of vulnerable drivers were notified in the spring of 2023, but only two of them – Phoenix Technologies and Advanced Micro Devices (AMD) – eliminated vulnerabilities.
VMware has developed POC-EXTROWS for several vulnerable drivers to show how they can be used to wash the firmware or to increase privileges. The company also provided the IDapython script, which was used to automate the search for vulnerable WDM and WDF drivers.