Flaw in Intel PMx driver gives 'near-omnipotent control over a victim device'

Intel released an updated version of pmxdrvx64.sys and pmxdrv.sys; however, patching might take a while.

Intel logo

Image: Artiom Vallat, Intel

Intel released today an updated version of its PMx driver to fix a set of vulnerabilities that could grant attackers "near-omnipotent control over a victim device."

The vulnerabilities were discovered earlier this year by researchers from Eclypsium, as part of a mammoth project that looked at the overall state of Windows kernel driver security.

Over the summer, Eclypsium researchers presented their findings at the DEF CON 27 security conference in Las Vegas. At the time, they disclosed over 40 vulnerabilities in kernel drivers from 20 different hardware vendors.

They only made public details about 39 kernel drivers, holding back on disclosing a few issues that had yet to be fixed.

Two of those issues were fixed three days later after Eclypsium's DEF CON talk [PDF], on August 13, when Intel released fixes for the Intel Processor Identification Utility and the Intel Computing Improvement Program.

Fixes for Intel's PMx driver rolling out today

"Another driver that was held under embargo due to the complexity of the issue was the Intel PMx Driver (also named PMxDrv)," the Eclypsium team said in a blog post today.

"During our analysis of the Intel PMx driver, we found it to be incredibly capable, containing a superset of all the capabilities that we had seen previously."

According to researchers, this kernel driver could

● Read/Write to physical memory
● Read/Write to Model Specific Registers (MSR)
● Read/Write to control registers
● Read/Write to the interrupt descriptor table (IDT) and the global descriptor table (GDT)
● Read/write to debug registers
● Arbitrarily gain I/O access
● Arbitrarily gain PCI access

As Eclypsium researchers told ZDNet in an interview back in August, all these legitimate PMx driver features could be abused by malicious code running on an infected machine.

Normally, an attacker would need admin rights to access a kernel driver's functions, but Eclypsium said that many vendors had failed to protect kernel drivers according to safe programming practices, and were allowing userspace apps to call kernel driver functions without any restrictions.

Such was the case for Intel's PMx driver.

Making matters worse, this is one of the most popular and widely used kernel drivers in existence. The driver has been a common component of many Intel ME and BIOS-related tools that Intel has been releasing for the past two decades, since 1999.

For example, one of the places you'll find the driver is a "detection tool" that Intel released in 2017 to help system administrators identify if their workstations and servers were vulnerable to a major bug in the Intel Management Engine.

When reached out for comment, Intel told ZDNet via email that they'll be releasing today updated versions of the pmxdrvx64.sys and pmxdrv.sys PMx driver files to mitigate any potential security threats.

However, as we've seen in the past with many products, it will take a few months, if not years, for these patches to reach most of the Intel population.

Summary of the "Screwed Drivers" research

For ZDNet readers who were not aware of the general issue that we first covered in August, below is a summary with the most important details they need to be aware, along with helpful links:

  • Eclypsium found that many kernel drivers, meant to allow hardware components to interact with the OS kernel, were also allowing apps to relay commands to the kernel, with no safeguards.
  • A list of "unprotected kernel drivers" is available here.
  • A list of public security advisories is here. Only Intel and Huawei made the security flaws public, while most vendors chose to quietly patch impacted drivers.
  • Insyde contacted Microsoft and asked that the vulnerable version of their kernel driver be blocked at the OS level by Windows Defender.
  • Microsoft said it would be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist vulnerable drivers that are reported to them.
  • The Windows HVCI feature only works on systems with a 7th gen Intel CPU, and is not generally available on all Windows systems. Manual patching may still be needed in the vast majority of cases.
  • The list of impacted driver vendors is as follows (three vendor names have not yet been made public because they're still working on patching):

● American Megatrends International (AMI)
● ASRock
● ASUSTeK Computer
● ATI Technologies (AMD)
● Biostar
● EVGA
● Getac
● GIGABYTE
● Huawei
● Insyde
● Intel
● Micro-Star International (MSI)
● NVIDIA
● Phoenix Technologies
● Realtek Semiconductor
● SuperMicro
● Toshiba