Source URL: https://www.theregister.com/2025/03/04/paragon_partition_manager_ransomware_driver/
Source: The Register
Title: Microsoft signed a dodgy driver and now ransomware scum are exploiting it
Feedly Summary: Five flaws found in Paragon Partition Manager’s kernel-level .sys
Ransomware crooks are exploiting a third-party Windows kernel-level driver used and provided by disk management tool Paragon Partition Manager.…
AI Summary and Description: Yes
Summary: The text discusses a serious security vulnerability within the Paragon Partition Manager’s kernel-level driver, BioNTdrv.sys, which can be exploited by ransomware attackers to gain SYSTEM-level control over targeted Windows systems. This incident highlights the risks associated with trusted, signed drivers and the Bring Your Own Vulnerable Driver (BYOVD) technique used in such attacks.
Detailed Description:
The exploitations of vulnerabilities in trusted software components, specifically kernel-level drivers, pose critical security risks. Below are the major points discussed in the text:
– **Vulnerability Discovery**:
– A third-party Windows kernel-level driver used by Paragon Partition Manager has been found to have security flaws.
– The driver, BioNTdrv.sys, is Microsoft-approved and allows privileged access to storage devices, which a malicious actor can exploit.
– **Exploitation Mechanism**:
– Attackers can use the BYOVD technique, which involves using a compromised, yet trusted driver to execute malicious activities.
– The exploitation occurs even if Paragon Partition Manager is not installed on the targeted system, as the driver is allowed to run due to its trusted status.
– **List of Vulnerabilities**:
– Five vulnerabilities were disclosed, include exploitation scenarios such as:
– **CVE-2025-0288**: Arbitrary kernel memory vulnerability leading to privilege escalation.
– **CVE-2025-0287**: Null pointer dereference vulnerability allowing arbitrary kernel code execution.
– **CVE-2025-0286**: Arbitrary kernel memory write vulnerability for code execution.
– **CVE-2025-0285**: Arbitrary kernel memory mapping vulnerability enabling privilege escalation.
– **CVE-2025-0289**: Insecure kernel resource access allowing execution of privileged code.
– **Response and Mitigations**:
– Paragon Software has responded by releasing a fixed version of the driver (BioNTdrv.sys version 2.0.0).
– Microsoft has added vulnerable versions of the driver to its Vulnerable Driver Blocklist to prevent exploitation on Windows systems.
– **Practical Implications**:
– Security professionals should be aware of the risks associated with kernel-level drivers and the implications of the BYOVD attack vector.
– Organizations need to regularly monitor for updates on critical software components and ensure they implement security measures against known vulnerabilities.
This incident serves as a reminder of the need for strict controls and monitoring around software dependencies, particularly those that operate at such a fundamental level in operating systems.