Eclypsium experts found a vulnerability affecting the popular PMx Driver Intel driver that can give malicious actors deep access to a device.

In August, Eclypsium researchers found multiple serious vulnerabilities in more than 40 device drivers from tens of vendors, including AMI, ASRock, ASUS, ATI, Biostar, EVGA, Getac, Gigabyte, Huawei, Insyde , Intel, MSI, NVIDIA, Phoenix Technologies, Realtek, SuperMicro and Toshiba.

The experts warn that the vulnerabilities that can be exploited by attackers to deploy persistent backdoor on vulnerable systems.

The experts pointed out that since they reported the issued to the vendor, only Intel and Huawei addressed them with patches and advisories, while Insyde and Phoenix provided patches to their OEM customers.

According to Eclypsium, Intel addressed a vulnerability in its PMx Driver (PMxDrv). The vulnerability could be exploited to have full access to the devices. The driver implements a superset of all the capabilities including read and write to physical memory, model specific registers, control registers, IDT and GDT descriptor tables, debug registers, gain I/O and PCI access.

“This level of access can provide an attacker with near-omnipotent control over a victim device. Just as importantly, this capability has been included as a staple component of many Intel ME and BIOS related toolsets going back to 1999.” reads the analysis published by Eclypsium.”Ironically, the very tool released by Intel to detect and mitigate a recent AMT vulnerability included the vulnerable driver as part of the toolset used to solve the AMT issue.”

Experts recommend users and organizations to enable Hypervisor-protected Code Integrity (HVCI) for devices that support the feature.

This option will only work with 7th generation or newer processor, new processor features such as mode-based execution control, this means it will not possible to enable HVCI on many devices.

The only universally effective possible consist of blocking or blacklisting old, known-bad drivers.

“The only universally available option possible today is to block or blacklist old, known-bad drivers. To this end, we would like to specifically commend the response of Insyde Software, a UEFI firmware vendor. Of the 19 vendors we notified early this summer, Insyde is the only vendor to date to proactively contact Microsoft and ask that the old version of the driver be blocked.” concludes the report. “Due to this request, Windows Defender will proactively quarantine the vulnerable version of the driver so it can’t cause damage to the system.”

Pierluigi Paganini