Dell has issued patches for five high-severity vulnerabilities in its firmware update driver, impacting Dell desktops, laptops, notebooks and tablets. If exploited, these flaws may allow attackers to locally escalate to kernel-mode privileges.
The five flaws stem from a firmware update driver component, which is responsible for Dell firmware updates through the Dell Bios Utility. This module, the DBUtil firmware update driver, comes pre-installed on most Dell machines running Windows. Researchers with SentinelLabs who discovered the flaws said that they have remained undisclosed for 12 years.
“These high severity vulnerabilities, which have been present in Dell devices since 2009, affect hundreds of millions of devices and millions of users worldwide,” said Kasif Dekel, senior security researcher at SentinelLabs. “While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild… with hundreds of million of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action.”
The flaws (collectively tracked as CVE-2021-21551) were reported to Dell on Dec. 1 and rank 8.8 on the CVSS scale. Dell on Tuesday issued patches for the flaw in its DSA-2021-088 advisory.
The flaws include two memory corruption vulnerabilities and two lack of input validation flaws, which all enable local elevation of privilege; and a code logic issue that can allow for denial-of-service attacks.
One significant issue stems from the firmware update driver accepting Input/Output Control (IOCTL) requests sans any Access Control List (ACL) requirements, which are meant to block unauthorized users from certain resources. Because these ACL requirements don’t exist, IOCTL requests can be invoked by a non-privileged user.
“Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused ‘by design,’” said Dekel.
Another issue with the driver that Dekel highlighted makes it possible to run I/O instructions in kernel mode. Researchers said that this issue is less trivial to exploit and might require “using various creative techniques” to achieve elevation of privileges. Finally, the firmware update driver exposes various functions. This can allow for read/write issues, enabling attackers to escalate their privileges.
“A classic exploitation technique for this vulnerability would be to overwrite the values of Present and Enabled in the Token privilege member inside the EPROCESS of the process whose privileges we want to escalate,” said Dekel.
In order to exploit the escalation privilege flaws, attackers must be local; however, they don’t need administrator privileges. If attackers are able to exploit these flaws, they would be allowed to escalate their privileges and run code in kernel mode. This could enable them to carry out further malicious actions, such as bypassing security products, said researchers.
“An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege,” said Dekel. “Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”
Researchers said that in order to give Dell customers the opportunity to remediate the vulnerability, they are withholding sharing the proof-of-concept (PoC) code until June 1. In the meantime, both researchers and Dell stress that customers should update their systems.
We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers," said a Dell spokesperson. "We have seen no evidence this vulnerability has been exploited by malicious actors to date... Thanks to the researchers for working directly with us to resolve the issue.