Microsoft’s Discovery of Flaws in Paragon Partition Manager Driver
Microsoft has identified significant vulnerabilities in the drivers used by the Paragon Partition Manager software, particularly focusing on a driver called BioNTdrv.sys. These weaknesses are particularly concerning because they can be exploited by ransomware groups through what is known as "zero-day attacks." This type of attack allows hackers to gain high-level privileges on Windows systems.
Understanding the Vulnerabilities
The vulnerabilities in the Paragon Partition Manager drivers can be exploited in a technique known as "Bring Your Own Vulnerable Driver" (BYOVD). In this scenario, hackers can drop the vulnerable driver onto a target computer. Once installed, they can elevate their access privileges, which allows them to execute malicious activities on the victim’s machine.
According to the Computer Emergency Response Team Coordination Center (CERT/CC), those with local access to a device can take advantage of these vulnerabilities. This means that an attacker can escalate privileges, leading to potential denial-of-service problems or worse.
Key Details from CERT/CC
CERT/CC issued a warning stating:
- Attackers can leverage a Microsoft-signed driver, enabling them to exploit systems even if the Paragon Partition Manager is not installed on the system.
- BioNTdrv.sys acts as a kernel-level driver, allowing attackers to run commands with the same privileges as the driver itself, thereby bypassing security software.
The Exploited Vulnerabilities
Researchers at Microsoft uncovered five critical flaws within the driver. One particular flaw, noted as CVE-2025-0289, has been used by ransomware groups, although the specific groups exploiting it have not been publicly disclosed.
Details of the five vulnerabilities are as follows:
- CVE-2025-0288: Due to improper handling of the ‘memmove’ function, this flaw allows attackers to write arbitrary data to kernel memory, leading to privilege escalation.
- CVE-2025-0287: This vulnerability results from a lack of validation within a structure called ‘MasterLrp.’ Exploiting this allows the execution of arbitrary kernel-level code.
- CVE-2025-0286: This flaw arises from improper validation of user-submitted data lengths, granting attackers the ability to execute arbitrary code.
- CVE-2025-0285: This vulnerability occurs when user-supplied data is not validated, leading to arbitrary memory mapping and privilege escalation.
- CVE-2025-0289: This issue involves insecure access to kernel resources, which could compromise system resources if exploited.
Who Is Affected?
The first four vulnerabilities affect versions of the Paragon Partition Manager up to 7.9.1, while CVE-2025-0289 impacts version 17 and older. To ensure safety, users are advised to update to the latest version of the software, which includes BioNTdrv.sys version 2.0.0, designed to patch these flaws.
Risks Even Without Installation
Even users who do not have the Paragon Partition Manager installed are not immune to attacks. Hackers can package the vulnerable driver with their own tools, which means the driver can still be loaded into Windows and used to elevate privileges.
Microsoft’s Response
In response to these vulnerabilities, Microsoft has updated its ‘Vulnerable Driver Blocklist.’ This blocklist is designed to prevent the loading of the BioNTdrv.sys driver on Windows systems. Users and organizations should confirm that their systems have this protection enabled.
To check if the blocklist is active:
- Open Settings.
- Go to Privacy & security.
- Select Windows Security.
- Access Device security.
- Click on Core isolation.
- Ensure Microsoft Vulnerable Driver Blocklist is enabled.
Windows setting for vulnerable drivers blocklist
Source: BleepingComputer
Additionally, Paragon Software has also warned its users to upgrade the Paragon Hard Disk Manager immediately to avoid issues, as it uses the same driver, which will also be blocked.
Increasing Threat Landscape
While it isn’t clear exactly which ransomware groups are actively exploiting this vulnerability, the BYOVD technique has gained popularity among various cybercriminals. Known groups such as Scattered Spider, Lazarus, BlackByte ransomware, and LockBit ransomware are believed to be using these tactics.
Given the increasing risk of such attacks, it is crucial to enable the Microsoft Vulnerable Driver Blocklist feature. This ensures that potentially dangerous drivers are blocked from running on your Windows devices, helping maintain the security of your systems.