Dell Users at Risk: BIOS Flaw Could Allow Hackers to Take Over

Posted on by Dawna M. Roberts in News May 13, 2021

Dell has issued a firmware update to fix a bug that went undetected since 2009, in hundreds of millions of Dell computers and laptops worldwide. The multiple critical privilege escalation vulnerabilities could allow someone to obtain kernel-mode privileges and execute a denial-of-service (DDoS) attack.

What Happened?

As reported on December 1, 2020, by SentinelOne Labs, Dell researchers say the issues are contained within a driver named “dbutil_2_3.sys” that comes preinstalled on millions of laptops, tablets, and desktop computers.

In its advisory, Dell said that the driver contains insufficient access control and could easily be exploited by hackers. The Hacker News listed all five vulnerabilities:

  • CVE-2021-21551: Local Elevation Of Privileges #1 – Memory corruption.
  • CVE-2021-21551: Local Elevation Of Privileges #2 – Memory corruption.
  • CVE-2021-21551: Local Elevation Of Privileges #3 – Lack of input validation.
  • CVE-2021-21551: Local Elevation Of Privileges #4 – Lack of input validation.
  • CVE-2021-21551: Denial Of Service – Code logic issue.

The Technical Details

The multiple local privilege-escalation (LPE) issue has gone undetected and unnoticed for 12 years. The purpose of the driver is to handle Dell updates in the Dell BIOS utility. According to SentinelLabs,

“Hundreds of millions of Dell devices have updates pushed on a regular basis, for both consumer and enterprise systems.”

The flaws allow an attacker to elevate their privileges and exploit other system features.

SentinelLabs will release their proof-of-concept (POC) in early June, illustrating the memory issue.

In the release SentinelOne said, “The first and most immediate problem with the firmware update driver arises out of the fact that it accepts input/output control (IOCTL) requests without any [access-control list] ACL requirements.”

“That means that a non-privileged user can invoke it. Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges.”

ACL stands for Access Control List that uses a set of allow and deny rules for permission to access certain features of the hardware or software on a device. The Dell bugs make it possible for a bad actor to bypass these rules and gain elevated access to sections of the operating system, which they should never be able to do.

SentinelOne explains how it could work “A classic exploitation technique for this vulnerability would be to overwrite the values of ‘present’ and ‘enabled’ in the token-privilege member inside the EPROCESS of the process whose privileges we want to escalate.”

“This is less trivial to exploit and might require using various creative techniques to achieve elevation of privileges.” This means hackers could potentially access other connected devices (hard drives, servers, printers, or memory) once they elevated their own privileges within the machine.

“For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process,” analysts noted.

Another big issue is that the file is the location which is in the C:\Windows\Temp folder. SentinelOne explains why “The classic way to exploit this would be to transform any bring-your-own vulnerable driver (BYOVD) into an elevation-of-privileges vulnerability since loading a (vulnerable) driver means you require administrator privileges, which essentially eliminates the need for a vulnerability. Thus, using this side-noted vulnerability virtually means you can take any BYOVD to an elevation of privileges.”

How to Fix Your Dell Machine

Dell has issued a patch to fix the issue through a firmware update. You can visit this page to update yours.

However, according to ThreatPost, SentinelOne has issued this warning “Note that the certificate was not yet revoked (at the time of writing),” researchers said. “This is not considered best practice since the vulnerable driver can still be used in a BYOVD attack as mentioned earlier.”

“The impact this could have on users and enterprises that fail to patch is “far-reaching and significant,” according to the analysis, although so far no in-the-wild exploits have shown up.”

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!