Cybersecurity experts have identified a potential threat in which hackers are exploiting a signed Lenovo driver to bypass security processes. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows attackers to circumvent endpoint protection mechanisms effectively.
Analysis of the Threat
Security analyst Jehad Abudagga has investigated the Lenovo driver, BootRepair.sys, which is linked to the Lenovo PC Manager. The findings revealed that this driver could be misused to terminate any processes at the kernel level. At the time of analysis, the driver was digitally signed by Lenovo and showed no alerts on VirusTotal, indicating its potential for stealthy exploitation.
The investigation showed that the driver creates a device object named Device::BootRepair without secure access controls, allowing low-privileged users to interact with it. Additionally, a symbolic link DosDevicesBootRepair exposes the device to user-mode applications, lacking proper access control checks during IRP_MJ_CREATE requests.
Vulnerability Details
Further scrutiny of the driver’s IOCTL handler revealed a control code, 0x222014, which takes a 4-byte input buffer containing a process ID (PID). This PID is used by an internal function that terminates processes via the Windows kernel API ZwTerminateProcess. This vulnerability allows any user to terminate critical processes, including protected security services.
Two main attack scenarios arise from these vulnerabilities. If the driver is already present on a system, a low-privileged attacker can terminate antivirus or Endpoint Detection and Response (EDR) processes. Alternatively, attackers can deploy the driver as part of a BYOVD attack to disable defenses before executing further exploits.
Security Implications and Protections
The research underscores the increasing risk posed by BYOVD attacks, where adversaries exploit trusted drivers to compromise endpoint protections. Since the driver is signed and initially undetected, it can evade traditional security measures based on signature trust.
To mitigate these risks, organizations should block known vulnerable drivers using Microsoft’s recommended blocklist, monitor for suspicious driver activities, restrict loading of unapproved drivers, and utilize EDR solutions that detect misuse of legitimate drivers.
As attackers continue to exploit trusted components, enforcing proactive driver control and behavioral detection strategies is essential to safeguarding modern computing environments.
