Dell has issued a firmware update to fix a bug that went undetected since 2009, in hundreds of millions of Dell computers and laptops worldwide. The multiple critical privilege escalation vulnerabilities could allow someone to obtain kernel-mode privileges and execute a denial-of-service (DDoS) attack.
As reported on December 1, 2020, by SentinelOne Labs, Dell researchers say the issues are contained within a driver named “dbutil_2_3.sys” that comes preinstalled on millions of laptops, tablets, and desktop computers.
In its advisory, Dell said that the driver contains insufficient access control and could easily be exploited by hackers. The Hacker News listed all five vulnerabilities:
- CVE-2021-21551: Local Elevation Of Privileges #1 – Memory corruption.
- CVE-2021-21551: Local Elevation Of Privileges #2 – Memory corruption.
- CVE-2021-21551: Local Elevation Of Privileges #3 – Lack of input validation.
- CVE-2021-21551: Local Elevation Of Privileges #4 – Lack of input validation.
- CVE-2021-21551: Denial Of Service – Code logic issue.
The Technical Details
The multiple local privilege-escalation (LPE) issue has gone undetected and unnoticed for 12 years. The purpose of the driver is to handle Dell updates in the Dell BIOS utility. According to SentinelLabs,
“Hundreds of millions of Dell devices have updates pushed on a regular basis, for both consumer and enterprise systems.”
The flaws allow an attacker to elevate their privileges and exploit other system features.
SentinelLabs will release their proof-of-concept (POC) in early June, illustrating the memory issue.
In the release SentinelOne said, “The first and most immediate problem with the firmware update driver arises out of the fact that it accepts input/output control (IOCTL) requests without any [access-control list] ACL requirements.”
“That means that a non-privileged user can invoke it. Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges.”
How to Fix Your Dell Machine
Dell has issued a patch to fix the issue through a firmware update. You can visit this page to update yours.
However, according to ThreatPost, SentinelOne has issued this warning “Note that the certificate was not yet revoked (at the time of writing),” researchers said. “This is not considered best practice since the vulnerable driver can still be used in a BYOVD attack as mentioned earlier.”
“The impact this could have on users and enterprises that fail to patch is “far-reaching and significant,” according to the analysis, although so far no in-the-wild exploits have shown up.”