“The black swan theory or theory of black swan events is a metaphor that describes an event that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight.” – Wikipedia
This past April, one of the most talented people I have ever worked with, Erik Egsgard (@hexnomad), was performing some research in relation to an upcoming Covalence feature. Along the way, something caught his eye—a vulnerability in the ALPC component of ntoskrnl.exe that was exploitable if triggered from an unexpected manner. Curious to see if this pattern was prevalent in other components, he found several more along with a series of other vulnerabilities. A total of six 0-day privilege escalation bugs and one info leak were found all in a single week (read more in the Blackswan Technical Write-Up):
- CVE-2021-34514 – privilege escalation bug in ntoskrnl.exe (patched in July 2021)
- CVE-2021-38629 – info leak in pacer.sys (patched in September 2021)
- CVE-2021-38628 – privilege escalation bug in tcpip.sys (patched in September 2021)
- CVE-2021-38638 – 3 privilege escalation bugs in afd.sys (patched in September 2021)
- CVE-2021-26442 – privilege escalation bug in https.sys (patched in October 2021)
Upon further research, it was found that these bugs have been present since Windows Vista (Server 2008) released in 2007, which at the time of disclosure made almost every Windows computer in the world vulnerable. There are 1.3 billion Windows 10 devices in the world according to Microsoft, not to mention older desktop versions and server versions of Windows.
This discovery was unexpected and definitely a surprise given how many security researchers have looked into these components for vulnerabilities, either manually and/or with automated tools. We affectionately gave this disclosure the “Blackswan” moniker because none of us anticipated this is where one week’s effort would land and due to the unexpected nature of exploitation required to hit the vulnerabilities.
Research was wrapped up and proof of concepts with full working exploits were provided to Microsoft in early May 2021, except for CVE-2021-34514, for which we could not get stable execution (related to grooming challenges). Although the Microsoft CVE reports indicate we did not provide working exploits, we absolutely did, and they had a success rate of 95%+. In fact, we have since matured the bugs into several kernel exploitation attack chains that we have added to our automated Covalence test matrix to further ensure it blocks these types of techniques/attacks.
How serious are these vulnerabilities? They are much more dangerous than their base scores of 7.8 would indicate. Consider this: a vulnerability in a Dell driver dbutil_2_3.sys, reported in May 2021 (CVE-2021-21551), was given a base score of 8.8. However, the applicability of this vulnerability in a productized attack chain is more complicated than a score of 8.8 should warrant:
- Only Dell computers could be exploited (smaller range of targets, albeit still lots out there), and
- An attacker would need to install/run the driver on a non-Dell host (which may or may not work). This involves attaining administrator credentials in order to install and run the vulnerable dbutil_2_3.sys driver, and then execute the exploit. Generally, there are too many variables for a sophisticated attacker to use as a wide attack.
However, with the Blackswan vulnerabilities, an attacker would only need to gain initial code execution on a host (even from within the Defender sandbox), and then exploit one of the privilege escalation vulnerabilities on the host—even from lowest possible privilege.
These vulnerabilities would be an extremely powerful addition to an attacker’s arsenal, such as a nation-state actor or ransomware group. Often the focus on vulnerabilities is the process of gaining initial remote execution on a host, however, this is only a sliver of an offensive operation. Depending on the initial exploitation vector and sandbox challenges, the Blackswan vulnerabilities are likely not the best candidate for initial exploitation. However, with regard to what happens after initial exploitation, they are absolute hacker gold.
Ransomware actors would use these types of vulnerabilities to leverage entry vectors that typically aren’t based on web browser exploitation (credential theft, RDP brute-force, non-sandboxed remote vulnerability, or just horrible general host/network security) to immediately gain kernel code execution in a manner that is very hard to detect with traditional anti-viruses or EDR solutions. Once kernel execution is attained, traditional anti-viruses or EDR solutions can be disabled, and then the ransomware actor can commence with intellectual property encryption and/or deletion without barriers.
On the other end of the spectrum, these types of vulnerabilities are key components of nation-state actor toolchains, in particular persistent malware that needs to raise its privilege with each boot of the host to facilitate ongoing intellectual property theft or general espionage. The fact that the exploitation of the Blackswan vulnerabilities is generally difficult to detect, coupled with a high degree of reliability, make them ideal candidates for these types of actors and operations.
In summary, we’re looking at over 1.3 billion vulnerable devices, ease of operational productization, and a high degree of reliability and applicability to various attack chains and offensive operational goals. Needless to say, please patch your Windows systems.
Finally, it’s worth mentioning the Blackswan set of 0-day vulnerabilities would have fetched between 1.5–2 million USD in the open market. Microsoft paid out a total bounty of 67K USD. This is why there’s still a private market for 0-days.
