CVE-2015-2291
Intel iqvw64e — arbitrary read/write via IOCTL in Intel Ethernet diagnostics driver
Summary
| Field | Value |
|---|---|
| Driver | iqvw64e.sys |
| Vendor | Intel |
| Vulnerability Class | Arbitrary R/W / IOCTL Access Control |
| Abused Version | 1.03.0.7 and earlier |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
BYOVD Context
- Driver signing: Authenticode-signed by Intel Corporation with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Integrated as a KDU provider
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Arbitrary physical memory read/write
- Arbitrary virtual memory read/write
- MSR read/write
- CR (Control Register) read
Root Cause
iqvw64e.sys is the kernel driver for Intel's iQVW64 Ethernet diagnostics utility, used for low-level NIC testing and configuration. The driver exposes IOCTLs that provide direct kernel and physical memory access without any access control checks on the caller. The device object is accessible to all authenticated users.
The vulnerability was publicly disclosed in 2015 (exploit-db #36392) and represents one of the earliest documented BYOVD cases. Despite being well-known and blocklisted, the driver continues to be encountered in the wild due to the large number of existing signed copies.
Exploitation
The driver provides direct R/W primitives that require no sophisticated exploitation:
- Load the signed
iqvw64e.sysdriver - Open a handle to the device object
- Use arbitrary R/W IOCTLs to read/modify kernel structures
- Perform token swap for SYSTEM escalation
The exploit-db entry #36392 provides a complete working exploit. Multiple threat actors have used this driver in campaigns.
Detection
YARA Rule
rule CVE_2015_2291_iqvw64e {
meta:
description = "Detects Intel iqvw64e.sys vulnerable driver"
cve = "CVE-2015-2291"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "iqvw64e" wide ascii nocase
$intel = "Intel" wide ascii
$iqvw = "iQVW" ascii
condition:
$mz at 0 and ($driver_name or $iqvw) and $intel
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of iqvw64e.sys |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for iqvw64e.sys |
| Sysmon | Event ID 6 — Driver loaded | Captures driver hash and signature |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
iqvw64e.sysfrom a path unrelated to Intel network diagnostics tools - Service creation for Intel diagnostics driver by a non-Intel process
- Kernel memory read/write IOCTL patterns from non-diagnostic processes
- Privilege escalation following iqvw64e.sys interaction