Microsoft Windows Vulnerable Driver Blocklist Enforcement Vulnerability

A vulnerability exists in the Microsoft Windows driver blocklist enforcement mechanism, specifically on systems without hypervisor-protected code integrity (HVCI) enabled. The issue arises within the Windows Defender Application Control (WDAC) policy, which governs the driver blocklist. On affected systems, entries that reference the to-be-signed (TBS) portion of the code signer certificate are correctly blocked. However, entries that include the signing certificate's TBS hash along with a 'FileAttribRef' qualifier, such as file name or version, fail to be blocked. This vulnerability impacts all Windows versions that do not support or have HVCI enabled, including Windows 10, Windows 11, and Windows Server 2016 and later.

Impact

The vulnerability can lead to the improper enforcement of the driver blocklist, allowing vulnerable or malicious drivers to be loaded, potentially compromising system security by exploiting kernel vulnerabilities or elevating privileges.

Remediation

To address this vulnerability, users can enable HVCI, which is available in Windows 10, Windows 11, and Windows Server 2016 and later. If HVCI cannot be enabled, Microsoft recommends blocking the drivers listed in the vulnerable driver blocklist XML within the existing App Control for Business policy. This policy can be validated in audit mode before deployment. Additionally, the latest recommended driver blocklist can be applied using the App Control policy refresh tool.