CVE-2015-2291

Name of the Vulnerable Software and Affected Versions Intel Ethernet diagnostics driver versions prior to 1.3.1.0

Description The Intel Ethernet diagnostics driver contains a flaw due to insufficient input validation when processing IOCTL calls (0x80862013, 0x8086200B, 0x8086200F, 0x80862007). Successful exploitation of this issue could allow an attacker to cause a denial of service or potentially execute arbitrary code with kernel privileges. The Scattered Spider threat actor has been observed attempting to leverage this issue through a Bring Your Own Vulnerable Driver (BYOVD) technique to bypass endpoint security solutions like Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne. This technique involves deploying older, vulnerable versions of the Intel Ethernet driver to gain elevated privileges on compromised systems. The driver used by Scattered Spider is a 64-bit kernel driver with 35 functions, signed with stolen code signing certificates. It decrypts a hardcoded string of target security solutions and patches the target drivers with hardcoded offsets. The driver also repeats loaded kernel modules for the security software component and patches it in memory to avoid detection. API Endpoints: The vulnerability is triggered through IOCTL calls, specifically (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, and (d) 0x80862007.

Recommendations Update IQVW32.sys to version 1.3.1.0 or later. Update IQVW64.sys to version 1.3.1.0 or later.