CVE-2020-36603:
Privilege escalation vulnerability in Genshin Impact's anti-cheat driver allows local users to execute code with SYSTEM privileges.
Score
A numerical rating that indicates how dangerous this vulnerability is.
6.5Medium- Published Date:Sep 14, 2022
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.6
- EPSS Percentile:69%
Exploitability
- Score:0.6
- Attack Vector:LOCAL
- Attack Complexity:LOW
- Privileges Required:HIGH
- User Interaction:REQUIRED
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Privilege escalation vulnerability in Genshin Impact's anti-cheat driver allows local users to execute code with SYSTEM privileges.
Overview
The mhyprot2.sys driver is an anti-cheat component used by the popular game Genshin Impact. The vulnerability exists because the driver does not properly validate or restrict access to privileged functions, allowing unprivileged users to make function calls that should be restricted. This vulnerability has been actively exploited in the wild, including by ransomware actors who use the vulnerable driver to kill antivirus processes and facilitate ransomware deployment. The driver's signed status makes it particularly dangerous, as it provides a legitimate way to execute privileged operations on Windows systems. Security researchers have developed proof-of-concept exploits demonstrating how the vulnerability can be leveraged to gain SYSTEM privileges, which represents the highest level of access on Windows systems.
Remediation
- 1. Ensure Genshin Impact is updated to the latest version that includes patched versions of the anti-cheat driver.
- 2. If not actively playing Genshin Impact, consider uninstalling the game or at least ensuring the mhyprot2.sys driver is not loaded.
- 3. System administrators should implement application control policies to prevent the loading of known vulnerable driver versions.
- 4. Monitor systems for suspicious activities related to driver loading or privilege escalation attempts.
- 5. Keep antivirus and endpoint protection solutions updated to detect exploitation attempts.
- 6. Consider implementing a vulnerability management program that includes regular scanning for vulnerable drivers.
- 7. Apply the principle of least privilege for all user accounts to minimize the impact of potential exploitation.
References
- 1. GitHub repository with analysis: https://github.com/kagurazakasanae/Mhyprot2DrvControl
- 2. Proof-of-concept exploit: https://github.com/kkent030315/evil-mhyprot-cli
- 3. Technical analysis of the vulnerability: https://web.archive.org/web/20211204031301/https://www.godeye.club/2021/05/20/001-disclosure-mhyprot.html
- 4. Trend Micro report on ransomware actors exploiting this vulnerability: https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
- 5. Vice article on exploitation in the wild: https://www.vice.com/en/article/y3p35w/hackers-are-using-anti-cheat-in-genshin-impact-to-ransom-victims
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
