Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

See all Vulnerability notices

CVE NUMBER

Requested.

CVSS SCORE

7.3 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SUMMARY

Our reverse engineering team discovered a kernel handle leak vulnerability in Hardware Access Driver. The vulnerability can be ubused for, for example, privilege escalation on a local system. During our research, we have also noticed that there have been recent attacks by Lazarus (APT) using another vulnerability in this same Hw64.sys/Hw.sys driver (source).

Impacted Versions

The vulnerable component is Hw64.sys, a kernel driver that facilitates in enumerating devices on the local system. The latest version of driver is 5.0.2.0 (originating from the file attributes of the PE-file). However, the software itself (PXI/PCI) states that the latest version 5.0.3.0 is installed.

  • MD5 (HW64.sys, version 5.0.2.0) = 9347fbeeaf917fc4a1d64a0b4d61187a
  • MD5 (intsaller.exe, version 5.0.3.0) = 1ed7945e47ef927eb2f482751c48112c

MarvinTest Solutions notified Northwave that version 5.0.4.0 includes a patch for the vulnerability.

DETAILS

The vulnerable component is Hw64.sys. There is at least one kernel handle leak present in the driver, which can be triggered from a low-privileged user context. This is due to the driver device being accessible by everyone on the local system. The kernel handle leak can be abused to obtain privilege escalation by abusing existing handles in other processes communicating with the driver.

TIMELINE

  • 04-03-2024 - Initial notice to and request for security contact.
  • 05-03-2024 - First reply from MarvinTest Solutions security team requesting more information.
  • 05-03-2024 - Sent full vulnerability details to MarvinTest Solutions security team.
  • 28-03-2024 - MarvinTest Solutions security team notified Northwave of patched versions.
  • 04-06-2024 - Planned public release of our blog post.

REFERENCE

Hardware Access Driver software: https://www.marvintest.com/Downloads.aspx?Type=Setup/Package&keywords=&filename=HW&search=download&FileID=303&UserAction=FileDownload

CREDIT

Discovered by Tijme Gommers, Jan-Jaap Korpershoek and Alex Oudenaarden of Northwave Cyber Security.

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.