Executive Summary

This vulnerability involves the Microsoft vulnerable driver block list, which is implemented as a Windows Defender Application Control (WDAC) policy. On Windows systems without Hypervisor-Protected Code Integrity (HVCI) enabled, certain blocklist entries that specify the signing certificate's TBS hash along with a 'FileAttribRef' qualifier (like file name or version) are not properly blocked. This means vulnerable or malicious drivers that should be blocked might still load, potentially allowing exploitation. The blocklist is intended to be used with HVCI enabled; systems without HVCI require a more granular approach using App Control policies to enforce blocking properly. [1]

Useful 0 Not Useful 0

Impact Analysis

If your Windows system does not have HVCI enabled or supported, vulnerable or malicious kernel drivers that should be blocked may still load due to improper enforcement of the driver blocklist. This can allow attackers to exploit these drivers to execute malware with elevated privileges in the Windows kernel, potentially leading to privilege escalation, system compromise, or other security breaches. Systems with HVCI enabled are protected as intended by the blocklist. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves verifying whether Hypervisor-Protected Code Integrity (HVCI) is enabled on the system, as the vulnerability affects systems without HVCI enabled or supported. You can check HVCI status using PowerShell commands such as `Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard` to query virtualization-based security and memory integrity status. Additionally, you can use the Windows Security app under Device Security > Core Isolation > Memory Integrity to check if HVCI is enabled. For verifying the application of the vulnerable driver blocklist policy, you can use Event Viewer to filter for event ID 3099 under CodeIntegrity logs, which confirms policy application. No specific network commands are provided for detection. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include enabling Hypervisor-Protected Code Integrity (HVCI) or Memory Integrity on your Windows system, which can be done via the Windows Security app (Device Security > Core Isolation > Memory Integrity), Group Policy, registry settings, or App Control for Business policies. If enabling HVCI is not feasible, Microsoft recommends applying the vulnerable driver blocklist using App Control for Business policies, starting in audit mode to monitor impact before enforcement. Additionally, enabling the Attack Surface Reduction (ASR) rule "Block abuse of exploited vulnerable signed drivers" helps prevent writing vulnerable drivers to disk. Applying the latest vulnerable driver blocklist policy involves downloading the policy files, placing them in `%windir%\system32\CodeIntegrity`, running the policy refresh tool, and rebooting the system to block vulnerable drivers. Careful testing is advised to avoid system malfunctions or blue screens. [1, 2]

Useful 0 Not Useful 0