Known usage in the wildīYOVD is a common technique used by advanced adversaries and opportunistic attackers alike. Access to ring 0 allows the attacker to subvert or disable security mechanisms and allows them to hide deeper in the system. The legitimate driver has a vulnerability that the attacker exploits to gain ring 0 access. In this attack, an adversary with administrative privileges installs a legitimately signed driver on the victim system. There’s an attack technique called Bring Your Own Vulnerable Driver (BYOVD). However, the partially fixed driver can still help attackers. According to Microsoft’s definition of security boundaries, Dell’s fix removed the security issue.
In our analysis of CVE-2021-21551, a write-what-where vulnerability (see CWE-123) in a Dell driver, we found that Dell’s update didn’t fix the write-what-where condition but only limited access to administrative users. There is no security boundary between an administrator and the Windows kernel, according to the Microsoft Security Servicing Criteria for Windows. "People that write Ring 0 code and write it badly are a danger to society." - Mickey Shkatov
0 kommentar(er)
