Intel CPU Exploit BoundHook

All Intel CPUs with Skylake and later processors running Memory Protection Extension (MPX) on Windows 10 (64 or 32 bit)

A new post-intrusion technique, named BoundHook, has been developed targeting all Intel Central Processing Units (CPUs) with the Skylake processor or newer.

This technique allows attackers to exploit the BOUND function calls that pass between software components within the Memory Protection Extension (MPX). Once exploited, the attacker can execute code from any process and bypass antivirus software and other security measures. BoundHook requires access to the device and is only executable with administrative privileges so a privilege escalation exploit must occur beforehand.

BoundHook is similar to the proof-of-concept attack called GhostHook. It is not a vulnerability, but a method to avoid detection on an already compromised machine. There are a number of mitigations available.

As was the case with GhostHook and also now with BoundHooking, Microsoft and Intel don’t see either as a vulnerability on their end. Both told CyberArk it will not patch the issue because the attack requires that the adversary already has already fully compromised the targeted system.

• Administrative accounts should be heavily regulated with little use as possible.
• Administrative accounts should not be used for day-to-day tasks and only accessed when required.
• Regular patching of systems should be made.
• Antivirus and security detection software should be implemented to stop the initial access required for this vulnerability to be exploited