CVE-2022-3699 Lenovo Diagnostics Driver EoP – Arbitrary R/W

Mike Alfaro 11/8/2022

What Is a CVE?

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Common Vulnerabilities and Exposures (CVE) is a database of these security issues. A CVE number uniquely identifies one vulnerability from the list. Enterprises typically use CVE, and corresponding CVSS scores, for planning and prioritization in their vulnerability management programs.

The CVE Program actively partners with community members worldwide to help grow CVE content and expand its use. Mike Alfaro, NephōSec Cybersecurity Engineer, submitted CVE-2022-3699 and it has been published to the CVE List. The CVE Record is now available for viewing by the public. The CVE details can be viewed below, the Lenovo Security Advisory entry or can be downloaded from the CVE website. https://www.cve.org/ 

Overview

CVE-2022-3699 describes the principal vulnerability within the EoP – Arbitrary R/W diagnostics driver, provided by Lenovo. Incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.

Explanation

IOCTL 0x222000:

  • rdmsr

IOCTL 0x222008/0x22200C:

  • HalGet/SetBusData

IOCTL 0x222010:

  • Read via MmMapIoSpace

IOCTL 0x222014:

  • Write via MmMapIoSpace
  • This IOCTL copies a value from a pointer supplied in the input buffer into mapped physical memory

How it works:

In order to resolve MmPteBase and other prerequisites, a physical “swap” space is found by searching the physical memory range 0x1000 – 0x10000 for 8 zero bytes.

Once that space is found, virtual memory is copied into that swap space via IOCTL 0x222014 and read back using IOCTL 0x222010.

As it is now, ALL virtual reads are done using this “swap” space.

Is it the best way to do virtual r/w? Probably not.

Does it work? Yes.

Oh, also, mind your own offsets — this was tested on Windows 11 21H2 with HVCI disabled.

Risks

A malicious actor in low integrity may exploit this vulnerability to achieve privileged code execution.

Detections and Mitigations

Update to Lenovo Diagnostics Application v4.45 or later.

https://support.lenovo.com/us/en/solutions/ht506581-lenovo-diagnostic-solutions-downloads

Ensure the Microsoft Driver Blacklist is enabled on all supported devices.