CVE-2022-3699
Lenovo Diagnostics Driver — arbitrary kernel read/write via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | LenovoDiagnosticsDriver.sys |
| Vendor | Lenovo |
| Vulnerability Class | Arbitrary R/W / IOCTL Access Control |
| Abused Version | Versions prior to 4.0.0.0 |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
BYOVD Context
- Driver signing: Authenticode-signed by Lenovo with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Not integrated
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Arbitrary kernel virtual memory read
- Arbitrary kernel virtual memory write
- Physical memory mapping via MmMapIoSpace
Root Cause
LenovoDiagnosticsDriver.sys is the kernel driver for Lenovo Diagnostics, a system health and hardware testing tool bundled with Lenovo systems. The driver exposes IOCTLs that provide arbitrary kernel memory read/write without proper access control validation. Any authenticated user can open the device and read/write arbitrary kernel memory.
The vulnerability was documented by alfarom256 on GitHub with a complete PoC exploit.
Exploitation
Exploitation is straightforward:
- Load the signed
LenovoDiagnosticsDriver.sys - Open a device handle
- Use read/write IOCTLs to access kernel memory
- Perform EPROCESS token swap for SYSTEM escalation
The PoC by alfarom256 demonstrates the complete exploitation chain.
Detection
YARA Rule
rule CVE_2022_3699_LenovoDiag {
meta:
description = "Detects Lenovo Diagnostics vulnerable driver"
cve = "CVE-2022-3699"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "LenovoDiagnosticsDriver" wide ascii nocase
$lenovo = "Lenovo" wide ascii
condition:
$mz at 0 and ($driver_name or $lenovo)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of LenovoDiagnosticsDriver.sys |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for Lenovo diagnostics driver |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
LenovoDiagnosticsDriver.sysfrom outside Lenovo's standard installation path - Kernel memory read/write IOCTL patterns from non-Lenovo diagnostic processes
- Privilege escalation following Lenovo driver interaction