CVE-2022-3699
Lenovo Diagnostics Driver, arbitrary kernel read/write via IOCTL
Summary
| Field | Value |
|---|---|
| Driver | LenovoDiagnosticsDriver.sys |
| Vendor | Lenovo |
| Vulnerability Class | Arbitrary R/W / IOCTL Access Control |
| Abused Version | Versions prior to 4.0.0.0 |
| Status | Blocklisted — included in Microsoft Vulnerable Driver Blocklist |
| Exploited ITW | Yes |
The Story
Lenovo Diagnostics is a system health and hardware testing tool bundled with Lenovo systems. Its kernel driver, LenovoDiagnosticsDriver.sys, exposes IOCTLs for arbitrary kernel virtual memory read/write and physical memory mapping via MmMapIoSpace, all without proper access control validation. Any authenticated user can open the device and read/write arbitrary kernel memory.
alfarom256 documented the vulnerability on GitHub with a complete PoC exploit demonstrating the full exploitation chain from driver load to SYSTEM escalation.
Like CVE-2021-21551 (Dell DBUtil), this vulnerability follows the OEM diagnostics driver pattern: a major PC manufacturer ships a kernel driver with their systems that provides unrestricted kernel access for diagnostic purposes, and the lack of caller validation turns every installation into a potential privilege escalation vector.
BYOVD Context
- Driver signing: Authenticode-signed by Lenovo with valid certificate
- Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules
- HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
- KDU integration: Not integrated
- LOLDrivers: Listed at loldrivers.io
Affected IOCTLs
- Arbitrary kernel virtual memory read
- Arbitrary kernel virtual memory write
- Physical memory mapping via MmMapIoSpace
How It Gets Exploited
The exploitation is straightforward: load the signed driver, open the device handle, use the read/write IOCTLs to access kernel memory, and perform an EPROCESS token swap for SYSTEM escalation. The alfarom256 PoC demonstrates the complete chain.
The kernel virtual memory read/write IOCTLs are particularly convenient for attackers because they eliminate the need for page table walking that physical memory BYOVD exploits require. The attacker can directly read and write kernel virtual addresses, making the exploitation chain simpler and more reliable.
Detection
YARA Rule
rule CVE_2022_3699_LenovoDiag {
meta:
description = "Detects Lenovo Diagnostics vulnerable driver"
cve = "CVE-2022-3699"
author = "KernelSight"
severity = "critical"
strings:
$mz = { 4D 5A }
$driver_name = "LenovoDiagnosticsDriver" wide ascii nocase
$lenovo = "Lenovo" wide ascii
condition:
$mz at 0 and ($driver_name or $lenovo)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-Kernel-File | Driver load event | Detects loading of LenovoDiagnosticsDriver.sys |
| Microsoft-Windows-Security-Auditing | Event 4697 — Service installed | Service creation for Lenovo diagnostics driver |
| Sysmon | Event ID 6 — Driver loaded | Hash and signature capture |
| Microsoft-Windows-Kernel-Process | Process token modification | Post-exploitation token swap |
Behavioral Indicators
- Loading of
LenovoDiagnosticsDriver.sysfrom outside Lenovo's standard installation path - Kernel memory read/write IOCTL patterns from non-Lenovo diagnostic processes
- Privilege escalation following Lenovo driver interaction
Broader Significance
CVE-2022-3699 is another entry in the growing catalog of OEM diagnostics drivers that expose unrestricted kernel access. Together with Dell's DBUtil (CVE-2021-21551) and others, it demonstrates a systemic problem in the PC OEM ecosystem: major manufacturers ship kernel drivers with their systems that any local attacker can weaponize. The pattern is always the same: diagnostics tool needs hardware access, developer exposes kernel read/write IOCTLs, access control is omitted or insufficient.