Five high severity flaws in Dell’s firmware update driver impacting desktops, laptops, notebooks and tablets have been uncovered by security researchers at SentinelOne’s SentinelLabs.
Since 2009, Dell has released hundreds of millions of Windows devices worldwide which contain the vulnerable driver, the cyber security firm said in a statement.
The flaws, discovered by SentinelOne senior security researcher Kasif Dekel, were reported to Dell on 1 December last year and are tracked as CVE-2021-21551, marked with CVSS Score 8.8.
While Dell has assigned one CVE to cover all the flaws in the firmware update driver, the single CVE can be broken down to the following five separate flaws:
- CVE-2021-21551: Local Elevation Of Privileges #1 – Memory corruption
- CVE-2021-21551: Local Elevation Of Privileges #2 – Memory corruption
- CVE-2021-21551: Local Elevation Of Privileges #3 – Lack of input validation
- CVE-2021-21551: Local Elevation Of Privileges #4 – Lack of input validation
- CVE-2021-21551: Denial Of Service – Code logic issue
“Several months ago, I started investigating the security posture of the firmware update driver version 2.3 [dbutil_2_3.sys] module, which seems to have been in use since at least 2009,” Dekel said in a blog post.
“Today, the firmware update driver component, which is responsible for Dell Firmware Updates via the Dell Bios Utility, comes pre-installed on most Dell machines running Windows and freshly installed Windows machines that have been updated. Hundreds of millions of Dell devices have updates pushed on a regular basis, for both consumer and enterprise systems.
“This led to the discovery of five high severity bugs that have remained undisclosed for 12 years. These multiple high severity vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges.
“Over the years, Dell has released BIOS update utilities which contain the vulnerable driver for hundreds of millions of computers (including desktops, laptops, notebooks, and tablets) worldwide,” he added.
Dekel said the high severity flaws could allow any user on an affected computer, even without privileges, to escalate their privileges and run code in kernel mode.
“Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products,” he noted.
Moreover, an attacker with access to an organisation’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement, Dekel noted.
Dell has released an update utility and provided remediation steps to mitigate the security vulnerability affecting the [dbutil_2_3.sys] driver packaged with Dell Client firmware update utility packages and tools.
“We remediated a vulnerability (CVE-2021-21551) in a driver [dbutil_2_3.sys] affecting certain Windows-based Dell computers," a spokesperson for Dell Technologies told ARN. "We have seen no evidence this vulnerability has been exploited by malicious actors to date.
"We encourage customers to review the Dell Security Advisory (DSA-2021-088) and follow the remediation steps as soon as possible. We’ve also posted a FAQ for additional information. Thanks to the researchers for working directly with us to resolve the issue.” Dell Technologies," the spokesperson added.
SentinelOne said that, as of 4 May, it had not discovered evidence of in-the-wild abuse.