Paragon Partition Manager Contains Five Memory Vulnerabilities
Summary:
Paragon Partition Manager's BioNTdrv.sys driver, in versions prior to 2.0.0, contains five vulnerabilities that can be exploited by attackers with local access to escalate privileges on targeted devices or launch denial of service attacks. Paragon Partition Manager, developed by Paragon Software, is a tool available in both community and commercial versions for managing hard drive partitions. It uses a kernel-level driver, BioNTdrv.sys, which provides elevated privileges for low-level access to the hard drive, enabling users to manage and manipulate data at the kernel level.
The vulnerabilities in question impact Paragron Partition Manager versions 7.9.1 and 17, particularly in BioNTdrv.sys versions 1.3.0 and 1.5.1:
Security Officer Comments:
Since BioNTdrv.sys is a Microsoft-signed driver, attackers can use the BYOVD technique to target systems, even if Paragon Partition Manager isn't installed. The technique works by taking advantage of legitimate, signed drivers that are already present or can be installed on a system. These drivers, signed by Microsoft, are trusted by the operating system, which often bypasses certain security checks due to their digital signature. When an attacker uses a vulnerable Microsoft-signed driver, the operating system doesn't flag it as suspicious or harmful, assuming it's part of legitimate software. In this context, even if Paragon Partition Manager, the software associated with the vulnerable BioNTdrv.sys driver, has not been installed on the target machine, an attacker can still load and install the driver onto the system by exploiting other attack vectors such as social engineering or malware. Once the driver is running, the attacker can then exploit specific vulnerabilities in the driver to gain elevated privileges and execute arbitrary code. Overall, the fact that the driver is signed by Microsoft makes it harder to detect by traditional security measures, allowing attackers to exploit these flaws with less risk of detection or intervention.
Suggested Corrections:
Paragon Software has updated Parition Manager and released a new driver, BioNTdrv.sys version 2.0.0, which addresses these vulnerabilities. Furthermore, vulnerable BioNTdrv.sys versions have been blocked by Microsoft's Vulnerable Driver Blocklist. Users should ensure they have the latest version of Paragon Partition Manager installed. Additionally, they can check if the Vulnerable Driver Blocklist is enabled in Windows Security settings, which is enabled by default on Windows 11. Enterprise organizations should apply the blocklist across their network to prevent the exploitation of vulnerable BioNTdrv.sys versions 1.3.0 and 1.5.1. For more details, users can refer to Microsoft’s Vulnerable Driver Blocklist information.
Link(s):
https://kb.cert.org/vuls/id/726882
Paragon Partition Manager's BioNTdrv.sys driver, in versions prior to 2.0.0, contains five vulnerabilities that can be exploited by attackers with local access to escalate privileges on targeted devices or launch denial of service attacks. Paragon Partition Manager, developed by Paragon Software, is a tool available in both community and commercial versions for managing hard drive partitions. It uses a kernel-level driver, BioNTdrv.sys, which provides elevated privileges for low-level access to the hard drive, enabling users to manage and manipulate data at the kernel level.
The vulnerabilities in question impact Paragron Partition Manager versions 7.9.1 and 17, particularly in BioNTdrv.sys versions 1.3.0 and 1.5.1:
- CVE-2025-0288 An arbitrary kernel memory vulnerability in version 7.9.1 caused by the memmove function, which fails to sanitize user-controlled input. This allows an attacker to write arbitrary kernel memory and achieve privilege escalation.
- CVE-2025-0287 A null pointer dereference vulnerability in version 7.9.1 caused by the absence of a valid MasterLrp structure in the input buffer. This allows an attacker to execute arbitrary kernel code, enabling privilege escalation.
- CVE-2025-0286 An arbitrary kernel memory write vulnerability in version 7.9.1 due to improper validation of user-supplied data lengths. This flaw can allow attackers to execute arbitrary code on the victim’s machine.
- CVE-2025-0285 An arbitrary kernel memory mapping vulnerability in version 7.9.1 caused by a failure to validate user-supplied data lengths. Attackers can exploit this flaw to escalate privileges.
- CVE-2025-0289 An insecure kernel resource access vulnerability in version 17 caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware. This allows attackers to compromise the affected service.
Security Officer Comments:
Since BioNTdrv.sys is a Microsoft-signed driver, attackers can use the BYOVD technique to target systems, even if Paragon Partition Manager isn't installed. The technique works by taking advantage of legitimate, signed drivers that are already present or can be installed on a system. These drivers, signed by Microsoft, are trusted by the operating system, which often bypasses certain security checks due to their digital signature. When an attacker uses a vulnerable Microsoft-signed driver, the operating system doesn't flag it as suspicious or harmful, assuming it's part of legitimate software. In this context, even if Paragon Partition Manager, the software associated with the vulnerable BioNTdrv.sys driver, has not been installed on the target machine, an attacker can still load and install the driver onto the system by exploiting other attack vectors such as social engineering or malware. Once the driver is running, the attacker can then exploit specific vulnerabilities in the driver to gain elevated privileges and execute arbitrary code. Overall, the fact that the driver is signed by Microsoft makes it harder to detect by traditional security measures, allowing attackers to exploit these flaws with less risk of detection or intervention.
Suggested Corrections:
Paragon Software has updated Parition Manager and released a new driver, BioNTdrv.sys version 2.0.0, which addresses these vulnerabilities. Furthermore, vulnerable BioNTdrv.sys versions have been blocked by Microsoft's Vulnerable Driver Blocklist. Users should ensure they have the latest version of Paragon Partition Manager installed. Additionally, they can check if the Vulnerable Driver Blocklist is enabled in Windows Security settings, which is enabled by default on Windows 11. Enterprise organizations should apply the blocklist across their network to prevent the exploitation of vulnerable BioNTdrv.sys versions 1.3.0 and 1.5.1. For more details, users can refer to Microsoft’s Vulnerable Driver Blocklist information.
Link(s):
https://kb.cert.org/vuls/id/726882