Understanding historical vulnerabilities is essential for any cybersecurity professional, and I can say this from personal experience.
CVE-2017-8625 is a good example of this. With this vulnerability, threat players could get around User Mode Code Integrity (UMCI) by using Compiled HTML (CHM) files.
Trust me, this is a deep dive you won’t want to miss if you’re committed to fortifying your cybersecurity defenses.
Device Guard is a security feature introduced in Windows 10 and Windows Server 2016 to help prevent malware from exploiting vulnerabilities in applications. One component of Device Guard is User Mode Code Integrity (UMCI), which restricts the loading of unsigned code modules or drivers.
While Device Guard UMCI provides an additional layer of security, researchers have discovered techniques to bypass its protections using Microsoft Compiled HTML Help (.chm) files.
The Vulnerability: CVE-2017-8625
Background
User Mode Code Integrity (UMCI) is a security feature that restricts the execution of untrusted code in user mode. It’s a crucial part of Device Guard, a set of hardware and software security features designed to harden the operating system against malware.
CVE-2017-8625 was a significant vulnerability that allowed attackers to bypass UMCI using CHM files. CHM, or Compiled HTML, is a Microsoft proprietary online help format that consists of a collection of HTML pages and indexing files.
Exploitation Technique
The exploitation of this vulnerability involved crafting a malicious CHM file that could execute arbitrary code. By embedding scripts within the CHM file, an attacker could bypass UMCI restrictions and execute untrusted code with elevated privileges.
Relevance in 2023
While the specific vulnerability, CVE-2017-8625 has been patched, the underlying concepts and exploitation techniques continue to be relevant. Here’s why:
- Understanding Legacy Systems: Many organizations still operate on legacy systems that may not have received the necessary patches. Understanding this vulnerability helps in assessing the risks associated with such systems.
- Learning from History: Analyzing past vulnerabilities provides insights into potential future threats. The techniques used in CVE-2017-8625 can be a learning ground for security professionals to anticipate and mitigate similar vulnerabilities.
- Integration with Modern Technologies: The concepts of UMCI and CHM files are still applicable in the context of modern devices such as laptops, tablets, and wearables. Ensuring robust security measures on these devices requires a comprehensive understanding of past vulnerabilities.
Preventive Measures and Best Practices
- Regular Patching: Ensuring that all systems are up-to-date with the latest security patches is the first line of defense against vulnerabilities like CVE-2017-8625.
- Security Awareness: Educating users about the risks associated with opening untrusted CHM files and other potentially malicious attachments.
- Utilizing Advanced Security Tools: Leveraging AI-driven security solutions that can detect and prevent unknown threats by analyzing behavior and patterns.
- Monitoring and Logging: Implementing continuous monitoring and logging to detect any suspicious activities related to UMCI bypass or other similar exploits.
Background on Device Guard UMCI
Device Guard uses a combination of hardware and software security features to allow only trusted applications to run. On hardware that supports virtualization and Second Level Address Translation (SLAT), Device Guard leverages Windows Hypervisor Code Integrity (HVCI) to protect kernel mode processes and drivers. For user-mode processes, it uses UMCI, which disallows unsigned code modules from being loaded into memory.
UMCI works by requiring all executable code modules to be signed by a trusted certificate authority in order to load. Even if an attacker can exploit a vulnerability in a signed application, UMCI will block the resulting unsigned code from running. This prevents many scenarios where malware tries to load itself into the memory space of a legitimate process.
Bypassing UMCI with CHM Files
Despite these protections, security researchers have identified certain techniques that can be used to bypass Device Guard UMCI. One method involves using compiled HTML help (.chm) files.
CHM files contain compressed HTML pages and associated files that can be executed when the CHM file is opened. Researchers found that even on systems with Device Guard UMCI enabled, unsigned CHM files can be executed by exploiting the way the chmlib library handles file extraction.
Specifically, the chmlib library extracts files from a CHM archive into a temporary folder in order to render the HTML content. However, it does so without properly checking that the extracted files are valid HTML/text files. This enables a CHM file to contain executable files that chmlib will extract and launch.
Crafting a Malicious CHM File
To leverage this bypass technique, an attacker can create a malicious CHM file that contains an executable payload. When the CHM file is opened, the following steps occur:
- The chmlib library creates a temporary folder to extract the CHM contents into.
- The archive is extracted, which includes the attacker’s executable payload.
- Chmlib runs the executable, evading UMCI because the file is considered trusted as part of the CHM extraction process.
The payload can then carry out any actions allowed by the permissions of the process that opened the CHM file initially, such as downloading additional malware.
Researchers have been able to use this technique to successfully bypass UMCI and execute unsigned payloads included in CHM files. While Microsoft has partially mitigated this by requiring that CHM files themselves be signed on newer Windows versions, vulnerabilities may still exist that can allow properly crafted unsigned CHM files to bypass protections.
Detecting and Preventing CHM File Attacks
Since this technique relies on exploiting normal CHM file behavior, it can be difficult to detect based on file characteristics alone. However, there are steps that can be taken to reduce the risk of CHM file attacks:
- Restrict execution of .chm files: Using software restriction policies, group policies, or other mechanisms to block execution of .chm files can prevent exploitation via this method. Exceptions can be made for legitimate software that requires CHM files.
- Scan CHM file contents: Anti-malware scanning tools can extract and scan the contents of CHM files to detect irregular files or executable payloads. Signatures should be kept updated to detect new techniques.
- Monitor child process creation: Behavioral monitoring of process execution can detect suspicious child processes spun up by a CHM file, indicating malicious behavior.
- Keep software updated: Ensuring Windows and applications have the latest security patches prevents the exploitation of potential vulnerabilities in CHM handling routines.
- Consider using HVCI protection: On compatible hardware, enabling HVCI in addition to UMCI provides added protection against unsigned kernel payloads.
The Evolving Threat Landscape
Device Guard UMCI does provide meaningful additional protection against malware for enterprises. However, techniques like the CHM file bypass demonstrate that motivated attackers can still find ways around security boundaries.
As new vulnerabilities and methods emerge, Microsoft continues releasing updates and guidance to harden Device Guard protections. At the same time, attackers are developing innovative techniques to bypass protections and establish persistence.
Going into 2023, information security professionals should be aware of the capabilities and limitations of Device Guard UMCI in order to make informed decisions for their environment. Implementing additional monitoring, prevention, and detection controls is recommended to minimize risk.
The cat-and-mouse game between Microsoft and attackers trying to bypass Device Guard will continue to advance on both sides. With sound security architecture, the right blend of preventative and detective controls, and prompt patching, organizations can maximize their security posture against these types of emerging threats.
Other Device Guard and UMCI Bypass Techniques
In addition to CHM files, security researchers have identified other methods that can potentially bypass Device Guard protections under certain conditions:
- DLL injection: Loading unsigned DLLs into signed processes by leveraging vulnerabilities has been used to bypass UMCI. Microsoft has gradually restricted injection capabilities in recent Windows versions.
- COM objects: Unsigned COM objects that get loaded into signed processes may be able to bypass UMCI in some scenarios. However, Microsoft has reduced the attack surface here as well.
- Memory exploits: Low-level memory manipulation exploits might be able to execute unsigned code while evading certain kernel protections. Microsoft is continuing to work to harden HVCI against such techniques.
- Fileless attacks: Techniques that execute malicious code from memory without files on disk can evade file-based protections enforced by UMCI. Virtualization-based security can help here.
- Credential theft: Attacks that steal admin credentials can then sign malicious code to load it onto the protected system. Multifactor authentication helps mitigate this.
- Advanced Persistent Threat (APT): Falling victim to an Advanced Persistent Threat (APT) attack is arguably the most feared of the attacks, e.g., Target (2013), Sony (2014), Home-Depot (2014). APT’s are intelligent and sophisticated attacks that sometimes employ social-engineering tactics, targeting specific businesses and organizations. Because of their stealth characteristics, once a vulnerability is exploited by malware and creates a “backdoor” into the organization, the APT sometimes progresses to stealing data rather than causing damage to the endpoint or critical systems on the network, often going undetected for long periods of time.
These demonstrate why a defense-in-depth approach is necessary for security-sensitive environments. Relying solely on Device Guard UMCI is insufficient when faced with sophisticated adversaries.
Striking the Right Balance for Your Environment
Ultimately, the decision on whether to deploy Device Guard UMCI depends heavily on the threat profile and use cases of an organization.
For security-focused enterprises handling highly sensitive data, Device Guard can meaningfully raise the bar against commodity malware. However, determined, targeted attackers will likely be able to bypass UMCI given enough time and effort.
Organizations that need to run custom in-house applications or drivers may also find the signing requirements overly restrictive. Only enabling the HVCI component of Device Guard on compatible hardware can increase flexibility.
Like all security tools, Device Guard is not a silver bullet. It should be wielded together with other defenses like firewalls, endpoint detection and response (EDR), and user education. To decide whether the extra security that Device Guard offers justifies the potential drawbacks, organizations should conduct risk and compatibility assessments.
When implemented properly, Device Guard can serve as an obstacle that inexperienced attackers will be unable to overcome. Against targeted threats, it can help detect malicious activity faster and give security teams precious time to respond.
Preventive Measures and Best Practices
- Regular Patching: Ensuring that all systems are up-to-date with the latest security patches is the first line of defense against vulnerabilities like CVE-2017-8625.
- Security Awareness: Educating users about the risks associated with opening untrusted CHM files and other potentially malicious attachments.
- Utilizing Advanced Security Tools: Leveraging AI-driven security solutions that can detect and prevent unknown threats by analyzing behavior and patterns.
- Monitoring and Logging: Implementing continuous monitoring and logging to detect any suspicious activities related to UMCI bypass or other similar exploits.
Conclusion
The analysis of CVE-2017-8625 serves as a reminder of the ever-present need for vigilance in cybersecurity. By understanding the past, we can better prepare for the future, ensuring that our laptops, tablets, AI tools, wearables, and apps remain secure in an increasingly interconnected world.
Stay tuned for my next security article!
Other Topics:
