Vulnerability in Intel Storage affects millions of Windows 10 devices

A recent investigation by the vulnerability testing expert team from security firm Safe Breach led to the discovery of a security flaw in earlier versions of Intel Rapid Storage Technology (RST) software that allows hijacking of Dynamic Link Libraries (DLLs), so a malicious program could bypass antivirus detection and compromise the targeted system.

It is important to note that exploiting the vulnerability requires the attacker to obtain administrator privileges on the target system. However, as this is a flaw on Windows 10 systems, the complexity of the operation is greatly reduced, as these systems run with administrative privileges enabled by default, which lightens the workload of threat actors.

The team of vulnerability testing experts discovered the flaw while collecting information about how Windows services are included on various devices, which are highly trusted during security scans. Malware developers also perform this type of analysis frequently, as they discover what features functional malware should have.

RST is included on many devices running Windows, and it has extensive privileges on the operating system, although it does not have network access by default. Apparently, the vulnerability exists because the developers forgot to remove some RST commands that are no longer functional for the proper functioning of the software, for example, to load four DLLs that no longer exist.

According to vulnerability testing experts, a hacker can take advantage of this omission by creating a malicious DLL using one of the legitimate DLL names. To make matters worse, Intel seems to have made everything available to hackers, because when RST can’t find the missing DLL in the folder where it’s supposed to be, it automatically starts searching for it in other folders, so threat actors can load malware from any location on the system.

On top of that, the malware gains persistence because Intel RST will continue to load the malicious DLL every time the system restarts. Finally, because, in theory, DLLs should be used by reliable Intel RST software, antivirus solutions will not identify it as malicious development.

The vulnerability was reported by Safe Breach on July 22. In response to this report, Intel released various security patches for RST software, including versions 15.x, 16.x, and 17.x. To be exact, system administrators should upgrade to versions v15.9.8.x, v16.8.3.x, or v17.5.1.x, mention the International Institute of Cyber Security (IICS) vulnerability testing specialists.

All patches have already been released, so the vulnerabilities have finally been publicly disclosed. Although Intel had requested a time extension to release the updates next January, a disclosure agreement was finally reached with Safe Breach researchers.