CVE-2020-15481 – This vulnerability allows low-privilege users t... (How to Fix)

Q: What is the severity of CVE-2020-15481?

CVE-2020-15481 has a CVSS score of 7.8 (HIGH). This vulnerability allows low-privilege users to map arbitrary physical memory into their process address space via vulnerable kernel drivers. This enables arbitrary Ring-0 code execution and privilege escalation. Affects users of PassMark BurnInTest, OSForensics, and PerformanceTest software.

📋 TL;DR

This vulnerability allows low-privilege users to map arbitrary physical memory into their process address space via vulnerable kernel drivers. This enables arbitrary Ring-0 code execution and privilege escalation. Affects users of PassMark BurnInTest, OSForensics, and PerformanceTest software.

💻 Affected Systems

Products:

PassMark BurnInTest
PassMark OSForensics
PassMark PerformanceTest

Versions: BurnInTest v9.1 Build 1008 and earlier, OSForensics v7.1 Build 1012 and earlier, PerformanceTest v10.0 Build 1008 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability resides in DirectIo32.sys and DirectIo64.sys kernel drivers that are installed with these applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level code execution, allowing attackers to bypass all security controls, install persistent malware, and access all system resources.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM/administrator privileges, enabling installation of additional malware, credential theft, and lateral movement.

🟢

If Mitigated

Limited impact if proper access controls prevent low-privilege users from running affected software or if software is removed from production systems.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to execute.

🏢 Internal Only: HIGH - Any user with local access to systems running vulnerable software can potentially gain administrative privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but is relatively straightforward once the vulnerable driver is loaded. Public technical details available in ESET's disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BurnInTest v9.2, PerformanceTest v10.0 Build 1009, OSForensics v8.0

Vendor Advisory: https://www.passmark.com/products/performancetest/history.php

Restart Required: Yes

Instructions:

1. Download latest version from PassMark website. 2. Uninstall affected version. 3. Install patched version. 4. Restart system to ensure vulnerable drivers are unloaded.

🔧 Temporary Workarounds

Remove vulnerable drivers

windows

Delete or restrict access to DirectIo32.sys and DirectIo64.sys driver files

sc stop DirectIo
sc delete DirectIo
del C:\Windows\System32\drivers\DirectIo*.sys

Restrict driver loading

windows

Use Group Policy to prevent loading of vulnerable drivers

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> System Services -> Configure DirectIo service to 'Disabled'

🧯 If You Can't Patch

Remove affected PassMark software from production systems entirely
Implement strict access controls to prevent low-privilege users from running affected software

🔍 How to Verify

Check if Vulnerable:

Check installed PassMark software versions and look for DirectIo32.sys/DirectIo64.sys drivers in System32\drivers

Check Version:

Check program properties or About dialog in each PassMark application

Verify Fix Applied:

Verify software version is patched and DirectIo drivers are not loaded (check via 'sc query DirectIo' or driver listing)

📡 Detection & Monitoring

Log Indicators:

Driver load events for DirectIo.sys
Process creation events for BurnInTest/OSForensics/PerformanceTest executables
Privilege escalation attempts

Network Indicators:

None - local exploitation only

SIEM Query:

EventID=7045 AND ServiceName='DirectIo' OR ProcessName IN ('bit.exe', 'osf.exe', 'performancetest.exe') AND CommandLine CONTAINS 'privilege'

📊 Metadata

CVE ID: CVE-2020-15481

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: November 13, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15481/CVE-2020-15481.md Exploit,Third Party Advisory
https://www.passmark.com/products/performancetest/history.php Vendor Advisory
https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15481/CVE-2020-15481.md Exploit,Third Party Advisory
https://www.passmark.com/products/performancetest/history.php Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON