AL2021_31 A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit (29th September 2021)

Cybersecurity researchers from Eclypsium have unfolded an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting every Windows- based device since Windows 8 that could likely be exploited to install a rootkit and compromise the integrity of devices.

Summary

Researchers from Eclypsium stated, “these flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables”. However, these tables can be exploited by attackers with direct physical access, remotely or through manufacturer supply chains. More importantly, these motherboard-level flaws can prevent initiatives like secured-core because of the universal usage of Advance Configuration and Power Interface (ACPI) and WPBT.

How it works

WPBT is a feature that enables boot firmware to provide Windows with a platform binary that the operating system can execute. It allows PC manufacturers to point to signed portable executables or other vendor-specific drivers that come as part of the UEFI firmware read-only-memory (ROM) image in such a manner that it can be loaded into physical memory during Windows initialization and before executing any operating system code.

Despite the main objective of WPBT is to allow critical features such as anti-theft software to continue even in scenarios where the operating system has been modified, formatted, or reinstalled. Given the functionality’s ability to have such software that “stick to the device indefinitely”, Microsoft has warned of the possible security risks that could arise from misuse of WPBT, including the possibility of deploying rootkits on windows machines.

The vulnerability is rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or an expired certificate to completely bypass the integrity check. This permits an attacker to sign a malicious binary with an already

available expired certificate and run arbitrary code with kernel privileges when the device boots up.

For more information on this vulnerability, kindly follow this URL:

https://eclypsium.com/2021/09/20/everyone-gets-a-rootkit/

Remediation

Microsoft has recommended customers use Windows Defender Application Control (WDAC) to limit what is allowed to run on their devices.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit.pdf

References