Login Sign Up

CVE-2020-15480

8.8 HIGH

📋 TL;DR

This vulnerability allows low-privilege users to read and write to arbitrary Model Specific Registers (MSRs) through exposed IOCTL functionality in kernel drivers. This could lead to arbitrary Ring-0 code execution and privilege escalation. Affects users of PassMark BurnInTest, OSForensics, and PerformanceTest software.

💻 Affected Systems

Products:
  • PassMark BurnInTest
  • PassMark OSForensics
  • PassMark PerformanceTest
Versions: BurnInTest through 9.1, OSForensics through 7.1, PerformanceTest through 10
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability resides in DirectIo32.sys and DirectIo64.sys kernel drivers that come with these applications.

📦 What is this software?

Burnintest by Passmark

View all CVEs affecting Burnintest →

Osforensics by Passmark

View all CVEs affecting Osforensics →

Performancetest by Passmark

View all CVEs affecting Performancetest →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary Ring-0 code execution, allowing attackers to install persistent malware, steal sensitive data, or disable security controls.

🟠

Likely Case

Local privilege escalation from low-privilege user to SYSTEM/administrator privileges, enabling lateral movement and persistence establishment.

🟢

If Mitigated

Limited impact if proper access controls prevent low-privilege users from executing the vulnerable software.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.
🏢 Internal Only: HIGH - Any low-privileged user on affected systems can potentially escalate to SYSTEM privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but is relatively straightforward once the vulnerable driver is loaded.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BurnInTest 9.2+, OSForensics 7.2+, PerformanceTest 10.1+

Vendor Advisory: https://www.passmark.com/support/index.php

Restart Required: Yes

Instructions:

1. Update affected PassMark software to latest version. 2. Restart system to unload vulnerable drivers. 3. Verify vulnerable DirectIo*.sys drivers are removed from system.

🔧 Temporary Workarounds

Remove vulnerable drivers

windows

Manually delete DirectIo32.sys and DirectIo64.sys driver files and prevent their loading

sc stop DirectIo
sc delete DirectIo
del C:\Windows\System32\drivers\DirectIo*.sys

Restrict driver loading

windows

Use Group Policy to restrict loading of vulnerable drivers

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> System Services -> Configure DirectIo service to 'Disabled'

🧯 If You Can't Patch

  • Restrict access to PassMark software to only trusted administrators
  • Implement application whitelisting to prevent execution of vulnerable PassMark binaries

🔍 How to Verify

Check if Vulnerable:

Check for existence of DirectIo32.sys or DirectIo64.sys in C:\Windows\System32\drivers\ and verify PassMark software version

Check Version:

Check software about dialog or registry: HKEY_LOCAL_MACHINE\SOFTWARE\PassMark\[ProductName]\Version

Verify Fix Applied:

Confirm DirectIo*.sys drivers are removed and PassMark software shows updated version

📡 Detection & Monitoring

Log Indicators:

  • Event ID 7045: Service installation for DirectIo
  • Driver load events for DirectIo*.sys
  • Process creation for PassMark executables by low-privilege users

Network Indicators:

  • No network indicators - local exploitation only

SIEM Query:

EventID=7045 AND ServiceName="DirectIo" OR FileName="DirectIo*.sys" AND EventID=6

📊 Metadata

CVE ID: CVE-2020-15480
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: August 7, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON