Table of Contents
Should You Trust iVentoy? The Alarming Truth About Insecure Certificates and Drivers
iVentoy is a network-based tool designed to simplify operating system deployment by distributing OS images over PXE to multiple computers simultaneously. Unlike its sibling Ventoy, which focuses on creating USB boot sticks, iVentoy extends PXE server functionality and supports a wide range of operating systems and architectures, including x86 Legacy BIOS, IA32 UEFI, x86_64 UEFI, and ARM64 UEFI modes. Its user-friendly approach allows administrators to deploy OS images with minimal configuration, supporting over 110 OS variants.
Recent Security Concerns
A significant security vulnerability was discovered in iVentoy version 1.0.2. Multiple reports from security researchers and the community highlighted that this version installs:
- An insecure Windows kernel driver
- An obscure, self-signed root certificate into the Windows registry
Details of the Issue
The problematic files are found in the iventoy.dat archive, which is decrypted in memory during execution. Analysis revealed that extracted files, such as wintool.tar.xz and vtoypxe64.exe, are flagged as malicious by VirusTotal and Windows Defender. The file vtoypxe64.exe contains a self-signed certificate labeled “JemmyLoveJenny EV Root CA0,” which is programmatically installed as a trusted root certificate in Windows. These actions potentially open the door to further attacks, as malicious actors could exploit the trusted certificate to bypass system security and install unverified drivers.
Industry Warnings
Cisco Talos previously warned about similar tactics, where attackers exploited Windows policies to load unsigned or malicious kernel-mode drivers using expired or counterfeit certificates. This method can allow threat actors to bypass security controls and compromise systems at a deep level. The presence of a Simplified Chinese language code in some drivers’ metadata suggests the involvement of Chinese-speaking developers, but there is no direct evidence linking iVentoy’s developer to malicious intent.
Developer Response and Mitigation
Upon learning of the vulnerability, the iVentoy developer responded promptly:
- Explained that the tool temporarily installs an open-source driver (httpdisk) during the WinPE phase, which only resides in RAM and is not written to the final Windows installation.
- Initially, a signed driver was used to meet Windows requirements, but since Windows now rejects that signature, the process was changed to use test mode, eliminating the need for a signed driver or certificate.
- The developer acknowledged that the code to load the certificate was not removed but promised a new release to address this oversight.
- Version 1.0.21 was released shortly after, removing the problematic driver and certificate loading code.
Key Takeaways and Recommendations
- Do not use iVentoy version 1.0.2 or earlier due to the unresolved security risks related to kernel drivers and root certificates.
- Upgrade immediately to version 1.0.21 or later, which addresses these vulnerabilities and removes unnecessary certificate code.
- Be cautious with similar tools (including older versions of Ventoy) that may use embedded binaries or certificates, especially in environments with strict security requirements.
How to Protect Your Systems
- Always verify the integrity of deployment tools before use.
- Monitor security advisories and update promptly when vulnerabilities are discovered.
- Regularly scan systems for unauthorized certificates and drivers, especially after using third-party deployment utilities.
Stay vigilant and prioritize secure tools to safeguard your IT infrastructure from avoidable risks. If you have used iVentoy 1.0.2, review your systems for suspicious certificates and drivers, and consider a thorough security audit.
If you value the security of your systems, act decisively-avoid outdated iVentoy versions and always keep your deployment tools up to date.