Microsoft Defender Advanced Threat Protection’s kernel sensors recently discovered a security vulnerability in a device management driver in Huawei MateBook laptops that allowed local privilege escalation and allowed unauthorised parties to take control of a laptop.
According to Microsoft, security vulnerabilities in device management drivers and other tools can be quite critical considering that such software and tools contain components that run with ring-0 privileges in the kernel. A flawed component can compromise the entire kernel security design.
Microsoft assigned the vulnerability CVE-2019-5241 and informed Huawei about the flaw in its device management driver, for which the company released a fix quickly. The flaw was initially identified when Microsoft’s kernel sensors detected the injection of malicious code from a kernel that involved an abnormal memory allocation and execution in the context of services.exe by a kernel code.
Huawei MateBook laptops allowed privilege escalation by hackers
Upon further analysis, Microsoft’s engineers found the presence of a system thread called nt!NtAllocateVirtualMemory that allocated a single page with PAGE_EXECUTE_READWRITE protection mask in services.exe. While hunting for the kernel code that triggered the alert, Microsoft found that several third-party drivers were loaded on the same day the alert was sounded.
“We concluded based on their file path that they are all related to an app from Huawei called PC Manager, a device management software for Huawei MateBook laptops. The installer is available on Huawei website, so we downloaded it for inspection,” said Microsoft.
“Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused. Nevertheless, Microsoft Defender ATP exposed a security flaw and protected customers before it can even be used in actual attacks,” it added.
Huawei has confirmed the presence of vulnerabilities in Huawei PCManager product in Huawei MateBook laptops whose successful exploitation could result in an attacker obtaining a higher privilege and to execute code and read/write memory.
“It was introduced at the manufacture stage but the path by which it came to be there is unknown and the fact that it looks like an exploit that is linked to the NSA doesn’t mean anything,” said Alan Woodward, a professor at Surrey University to BBC.
“It could be organised crime gangs, which are increasingly interfering with the supply chain, or it could be someone playing geo-politics to discredit Huawei. There is no evidence that the company has done anything malicious or any evidence they were under pressure from the state,” he added.
However, Professor Woodward did indicate that the discovery of the vulnerability will do no justice to Huawei considering that the company is already facing a slew of allegations about using its communications equipment to spy on citizens on behalf of China.
“How did the software engineering processes allow this on? This is not going to help their case or reduce people’s concerns,” he added.