• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Drivers from Over 40 Manufacturers Including Intel, NVIDIA, AMD Vulnerable to Privilege Escalation Malware Attacks

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,231 (7.55/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Cybersecurity research firm Eclypsium published a report titled "Screwed Drivers," chronicling a critical flaw in the design of modern device driver software from over 40 hardware manufacturers, which allows malware to gain privilege from Ring 3 to Ring 0 (unrestricted hardware access). The long list of manufacturers publishing drivers that are fully signed and approved by Microsoft under its WHQL program, includes big names such as Intel, AMD, NVIDIA, AMI, Phoenix, ASUS, Toshiba, SuperMicro, GIGABYTE, MSI, and EVGA. Many of the latter few names are motherboard manufacturers who design hardware monitoring and overclocking applications that install kernel-mode drivers into Windows for Ring-0 hardware-access.

As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates. Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper. RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.



View at TechPowerUp Main Site
 
Joined
Mar 6, 2017
Messages
3,327 (1.18/day)
Location
North East Ohio, USA
System Name My Ryzen 7 7700X Super Computer
Processor AMD Ryzen 7 7700X
Motherboard Gigabyte B650 Aorus Elite AX
Cooling DeepCool AK620 with Arctic Silver 5
Memory 2x16GB G.Skill Trident Z5 NEO DDR5 EXPO (CL30)
Video Card(s) XFX AMD Radeon RX 7900 GRE
Storage Samsung 980 EVO 1 TB NVMe SSD (System Drive), Samsung 970 EVO 500 GB NVMe SSD (Game Drive)
Display(s) Acer Nitro XV272U (DisplayPort) and Acer Nitro XV270U (DisplayPort)
Case Lian Li LANCOOL II MESH C
Audio Device(s) On-Board Sound / Sony WH-XB910N Bluetooth Headphones
Power Supply MSI A850GF
Mouse Logitech M705
Keyboard Steelseries
Software Windows 11 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Joined
Jul 26, 2019
Messages
418 (0.21/day)
Processor R5 5600X
Motherboard Asus TUF Gaming X570-Plus
Memory 32 GB 3600 MT/s CL16
Video Card(s) Sapphire Vega 64
Storage 2x 500 GB SSD, 2x 3 TB HDD
Case Phanteks P300A
Software Manjaro Linux, W10 if I have to
I wonder if Linux drivers are affected
 
Joined
Dec 16, 2017
Messages
2,912 (1.15/day)
System Name System V
Processor AMD Ryzen 5 3600
Motherboard Asus Prime X570-P
Cooling Cooler Master Hyper 212 // a bunch of 120 mm Xigmatek 1500 RPM fans (2 ins, 3 outs)
Memory 2x8GB Ballistix Sport LT 3200 MHz (BLS8G4D32AESCK.M8FE) (CL16-18-18-36)
Video Card(s) Gigabyte AORUS Radeon RX 580 8 GB
Storage SHFS37A240G / DT01ACA200 / ST10000VN0008 / ST8000VN004 / SA400S37960G / SNV21000G / NM620 2TB
Display(s) LG 22MP55 IPS Display
Case NZXT Source 210
Audio Device(s) Logitech G430 Headset
Power Supply Corsair CX650M
Software Whatever build of Windows 11 is being served in Canary channel at the time.
Benchmark Scores Corona 1.3: 3120620 r/s Cinebench R20: 3355 FireStrike: 12490 TimeSpy: 4624
I remember someone from MS (or some book about Windows, my memory is kinda foggy right now) saying that Windows only uses two privilege levels, Ring 3 and 0, because some other CPU arch, which MS planned compatibility with in NT 3.x/4.0 times, only had those two... I wonder if that decision isn't coming back to bite them in the butt after all.
 
Joined
Apr 18, 2013
Messages
1,260 (0.30/day)
Location
Artem S. Tashkinov
I wonder if Linux drivers are affected

Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.
 
Joined
Mar 26, 2010
Messages
9,909 (1.85/day)
Location
Jakarta, Indonesia
System Name micropage7
Processor Intel Xeon X3470
Motherboard Gigabyte Technology Co. Ltd. P55A-UD3R (Socket 1156)
Cooling Enermax ETS-T40F
Memory Samsung 8.00GB Dual-Channel DDR3
Video Card(s) NVIDIA Quadro FX 1800
Storage V-GEN03AS18EU120GB, Seagate 2 x 1TB and Seagate 4TB
Display(s) Samsung 21 inch LCD Wide Screen
Case Icute Super 18
Audio Device(s) Auzentech X-Fi Forte
Power Supply Silverstone 600 Watt
Mouse Logitech G502
Keyboard Sades Excalibur + Taihao keycaps
Software Win 7 64-bit
Benchmark Scores Classified
LoJax (first UEFI malware) can rewrite UEFI? never thought that malware can rewrite in BIOS level
 
Joined
Sep 15, 2007
Messages
3,946 (0.63/day)
Location
Police/Nanny State of America
Processor OCed 5800X3D
Motherboard Asucks C6H
Cooling Air
Memory 32GB
Video Card(s) OCed 6800XT
Storage NVMees
Display(s) 32" Dull curved 1440
Case Freebie glass idk
Audio Device(s) Sennheiser
Power Supply Don't even remember
Microsoft driver signing is a joke and doesn't even work, anyway. Blame them. You could patch every driver with malware and no one would be the wiser.
 
Joined
Jul 17, 2011
Messages
85 (0.02/day)
System Name Custom build, AMD/ATi powered.
Processor AMD FX™ 8350 [8x4.6 GHz]
Motherboard AsRock 970 Extreme3 R2.0
Cooling be quiet! Dark Rock Advanced C1
Memory Crucial, Ballistix Tactical, 16 GByte, 1866, CL9
Video Card(s) AMD Radeon HD 7850 Black Edition, 2 GByte GDDR5
Storage 250/500/1500/2000 GByte, SSD: 60 GByte
Display(s) Samsung SyncMaster 950p
Case CoolerMaster HAF 912 Pro
Audio Device(s) 7.1 Digital High Definition Surround
Power Supply be quiet! Straight Power E9 CM 580W
Software Windows 7 Ultimate x64, SP 1
LoJax (first UEFI malware) can rewrite UEFI? never thought that malware can rewrite in BIOS level
Sometimes the malware actually sits at BIOS-level, while pretending to be some UEFI in the first place.

Smartcom
 

Space Lynx

Astronaut
Joined
Oct 17, 2014
Messages
17,202 (4.66/day)
Location
Kepler-186f
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

Speaking of NVIDIA Windows drivers: they fixed a large number of vulnerabilities in their latest release which I'd recommend everyone have updated to already.

Very nice, I was planning to move to Linux Mint XFCE as a large number of the games I want to play work natively on Linux now, and Freesync also apparently works on Linux now.
 
Joined
Jul 10, 2017
Messages
2,671 (0.99/day)
129008
 

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
13,167 (2.81/day)
Location
Concord, NH, USA
System Name Apollo
Processor Intel Core i9 9880H
Motherboard Some proprietary Apple thing.
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Logitech G915, GL Clicky
Software MacOS 12.1
129007


In all seriousness, anything that runs with elevated privileges at any point could theoretically be a vector for attack, even in Linux. The difference is how drivers in Linux are delivered versus on Windows.
 
Joined
Dec 22, 2011
Messages
3,890 (0.82/day)
Processor AMD Ryzen 7 3700X
Motherboard MSI MAG B550 TOMAHAWK
Cooling AMD Wraith Prism
Memory Team Group Dark Pro 8Pack Edition 3600Mhz CL16
Video Card(s) NVIDIA GeForce RTX 3080 FE
Storage Kingston A2000 1TB + Seagate HDD workhorse
Display(s) Samsung 50" QN94A Neo QLED
Case Antec 1200
Power Supply Seasonic Focus GX-850
Mouse Razer Deathadder Chroma
Keyboard Logitech UltraX
Software Windows 11
Joined
Sep 17, 2014
Messages
22,431 (6.03/day)
Location
The Washing Machine
Processor 7800X3D
Motherboard MSI MAG Mortar b650m wifi
Cooling Thermalright Peerless Assassin
Memory 32GB Corsair Vengeance 30CL6000
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s) Gigabyte G34QWC (3440x1440)
Case Lian Li A3 mATX White
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse Steelseries Aerox 5
Keyboard Lenovo Thinkpad Trackpoint II
Software W11 IoT Enterprise LTSC
Benchmark Scores Over 9000
So it got discovered before major abuse occurred and now we get a fix.

Problem is being solved... next! :)
 

HTC

Joined
Apr 1, 2008
Messages
4,664 (0.77/day)
Location
Portugal
System Name HTC's System
Processor Ryzen 5 5800X3D
Motherboard Asrock Taichi X370
Cooling NH-C14, with the AM4 mounting kit
Memory G.Skill Kit 16GB DDR4 F4 - 3200 C16D - 16 GTZB
Video Card(s) Sapphire Pulse 6600 8 GB
Storage 1 Samsung NVMe 960 EVO 250 GB + 1 3.5" Seagate IronWolf Pro 6TB 7200RPM 256MB SATA III
Display(s) LG 27UD58
Case Fractal Design Define R6 USB-C
Audio Device(s) Onboard
Power Supply Corsair TX 850M 80+ Gold
Mouse Razer Deathadder Elite
Software Ubuntu 20.04.6 LTS
So it got discovered before major abuse occurred and now we get a fix.

Problem is being solved... next! :)

And you know this ... how exactly?

For all we know, it could have been used repeatedly without anyone figuring out this was the cause. Now that it's known, developers involved can figure out ways to patch it, but before ... your guess is as good as mine.
 
Joined
Sep 17, 2014
Messages
22,431 (6.03/day)
Location
The Washing Machine
Processor 7800X3D
Motherboard MSI MAG Mortar b650m wifi
Cooling Thermalright Peerless Assassin
Memory 32GB Corsair Vengeance 30CL6000
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s) Gigabyte G34QWC (3440x1440)
Case Lian Li A3 mATX White
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse Steelseries Aerox 5
Keyboard Lenovo Thinkpad Trackpoint II
Software W11 IoT Enterprise LTSC
Benchmark Scores Over 9000
And you know this ... how exactly?

For all we know, it could have been used repeatedly without anyone figuring out this was the cause. Now that it's known, developers involved can figure out ways to patch it, but before ... your guess is as good as mine.

Because the internet would be too small if it did...
 

HTC

Joined
Apr 1, 2008
Messages
4,664 (0.77/day)
Location
Portugal
System Name HTC's System
Processor Ryzen 5 5800X3D
Motherboard Asrock Taichi X370
Cooling NH-C14, with the AM4 mounting kit
Memory G.Skill Kit 16GB DDR4 F4 - 3200 C16D - 16 GTZB
Video Card(s) Sapphire Pulse 6600 8 GB
Storage 1 Samsung NVMe 960 EVO 250 GB + 1 3.5" Seagate IronWolf Pro 6TB 7200RPM 256MB SATA III
Display(s) LG 27UD58
Case Fractal Design Define R6 USB-C
Audio Device(s) Onboard
Power Supply Corsair TX 850M 80+ Gold
Mouse Razer Deathadder Elite
Software Ubuntu 20.04.6 LTS
Because the internet would be too small if it did...

All we would hear was company X was attacked and Y stuff was compromised.

When companies are victim of such breaches, they don't publish how they were attacked, do they?
 
Joined
Sep 17, 2014
Messages
22,431 (6.03/day)
Location
The Washing Machine
Processor 7800X3D
Motherboard MSI MAG Mortar b650m wifi
Cooling Thermalright Peerless Assassin
Memory 32GB Corsair Vengeance 30CL6000
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Lexar NM790 4TB + Samsung 850 EVO 1TB + Samsung 980 1TB + Crucial BX100 250GB
Display(s) Gigabyte G34QWC (3440x1440)
Case Lian Li A3 mATX White
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse Steelseries Aerox 5
Keyboard Lenovo Thinkpad Trackpoint II
Software W11 IoT Enterprise LTSC
Benchmark Scores Over 9000
All we would hear was company X was attacked and Y stuff was compromised.

When companies are victim of such breaches, they don't publish how they were attacked, do they?

Yes, they have to because its a data leak and if they don't, they're breaking the law. And if they know about a data leak, steps can be taken to mitigate.
 
Joined
Mar 23, 2016
Messages
4,841 (1.53/day)
Processor Core i7-13700
Motherboard MSI Z790 Gaming Plus WiFi
Cooling Cooler Master RGB something
Memory Corsair DDR5-6000 small OC to 6200
Video Card(s) XFX Speedster SWFT309 AMD Radeon RX 6700 XT CORE Gaming
Storage 970 EVO NVMe M.2 500GB,,WD850N 2TB
Display(s) Samsung 28” 4K monitor
Case Phantek Eclipse P400S
Audio Device(s) EVGA NU Audio
Power Supply EVGA 850 BQ
Mouse Logitech G502 Hero
Keyboard Logitech G G413 Silver
Software Windows 11 Professional v23H2
Joined
Aug 20, 2007
Messages
21,452 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Linux is a different beast altogether. Aside from proprietary NVIDIA/AMD GPU drivers everything else is open source or already in the kernel (to be fair there are RAID drivers as well but they are barely used by consumers). TLDR: This announcement has almost nothing to do with Linux.

UEFI malware is however OS independent, and could operate in any OS theoretically.
 
Joined
Feb 29, 2016
Messages
12 (0.00/day)
This is not a driver problem. How should anyone prevent any software from accessing their driver, if Windows offers no way for doing so?
 
Joined
Mar 10, 2015
Messages
3,984 (1.12/day)
System Name Wut?
Processor 3900X
Motherboard ASRock Taichi X570
Cooling Water
Memory 32GB GSkill CL16 3600mhz
Video Card(s) Vega 56
Storage 2 x AData XPG 8200 Pro 1TB
Display(s) 3440 x 1440
Case Thermaltake Tower 900
Power Supply Seasonic Prime Ultra Platinum
This is a Microsoft problem more than the other 40 companies.
 
Joined
Aug 20, 2007
Messages
21,452 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
How should anyone prevent any software from accessing their driver, if Windows offers no way for doing so?

A driver like the above should never have been signed in the first place.

Drivers with obvious priviledge escalation issues should not be signed either.

More often than not they are though, that is only half the issue though. There are aparently priviledge escalation means via signed drivers to bypass driver signing entirely.

tl;dr: The entire system is a lousy, broken mess, and it mostly originates in Microsoft policy.

So it got discovered before major abuse occurred and now we get a fix.

Problem is being solved... next! :)

Depends on your definition of "Major."

I've seen it used.

The biggest lesson from this is even nonadmin code run on your machine is now very dangerous. Honestly, you should always think this way and only run trusted code, but reality makes that hard.
 
Last edited:

HTC

Joined
Apr 1, 2008
Messages
4,664 (0.77/day)
Location
Portugal
System Name HTC's System
Processor Ryzen 5 5800X3D
Motherboard Asrock Taichi X370
Cooling NH-C14, with the AM4 mounting kit
Memory G.Skill Kit 16GB DDR4 F4 - 3200 C16D - 16 GTZB
Video Card(s) Sapphire Pulse 6600 8 GB
Storage 1 Samsung NVMe 960 EVO 250 GB + 1 3.5" Seagate IronWolf Pro 6TB 7200RPM 256MB SATA III
Display(s) LG 27UD58
Case Fractal Design Define R6 USB-C
Audio Device(s) Onboard
Power Supply Corsair TX 850M 80+ Gold
Mouse Razer Deathadder Elite
Software Ubuntu 20.04.6 LTS
Yes, they have to because its a data leak and if they don't, they're breaking the law. And if they know about a data leak, steps can be taken to mitigate.

To authorities yes, but not to the general public, and that's if / when company X discloses it was hacked.

General pubic may have been a target in the meanwhile in order for the hackers to "hone the hack" and, most likely, those affected individuals were never able to figure out how they got attacked.
 
Joined
Feb 29, 2016
Messages
12 (0.00/day)
A driver like the above should never have been signed in the first place.

Everyone can sign drivers, if they buy a driver signing certificate. The problem is Windows is not offering per-application rights to access privileged resources, like on Android for example. The first time you start an application, Windows should ask you to allow the access to drivers/hardware, and give you the option to remove the rights later.
 
Joined
Aug 20, 2007
Messages
21,452 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
Everyone can sign drivers, if they buy a driver signing certificate.

Wrong. You need to go through WHQL before you can sign a kernel mode driver (the kind we are talking about). You furthermore need an EV-signing cert which requires you to run every signing by MS (as well as register your business with MS for blame reasons when something goes wrong).

I know, because I just failed to go through this wringer attempting to sign the open source driver for vjoy. I was refused due to not being a full business license grade business.

google "R-T-B vjoy 1903" and you can see my proof.

The weak points in this otherwise strong system is next to no code inspection and a total lack of use of cert revocation.

The problem is Windows is not offering per-application rights to access privileged resources,

The thing is that unprivileged accesses can be escalated. Thus your system would do nothing for this issue.
 
Last edited:
Top