Paragon Software Hard Disk Manager Privilege Escalation Vulnerability in BioNTdrv.sys

A null pointer dereference vulnerability has been identified in the BioNTdrv.sys driver used by various Paragon Software products, including the Hard Disk Manager (HDM) product line. This vulnerability affects BioNTdrv.sys versions 10.1.X.Y and older, as well as specific 1.X.0.0 versions, excluding 2.0.0.0. The issue arises from the driver's failure to validate the MasterLrp structure in the input buffer, leading to a null pointer dereference. An attacker with local access can exploit this vulnerability to execute arbitrary code in the kernel, potentially escalating privileges to SYSTEM level. This vulnerability has been observed in conjunction with BYOVD ransomware attacks, where exploited drivers are used to gain elevated privileges before executing malicious code.

Impact

Exploitation of this vulnerability allows for unauthorized execution of code in the kernel, with potential escalation of privileges to the SYSTEM level.

Remediation

Users can update to Paragon Hard Disk Manager version 2.0.0, which addresses this vulnerability. Instructions for downloading the update are available on the Paragon Software Support website. Additionally, Microsoft has blocked vulnerable BioNTdrv.sys versions through its Vulnerable Driver Blocklist, which is enabled by default on Windows 11 devices.