Millions of Dell Systems

Five high severity flaws are discovered in Dell’s firmware driver update, which would potentially impact Dell desktops, laptops, notebooks, and tablets. This could have the attackers exploit the machines and locally escalate to kernel-mode privileges.

Identifying 5 Flaws in a Row

There comes a pops up a notification message every time when a service gets created or deleted:

This led to the discovery of five high severity bugs that have remained undisclosed for 12 years.

Dell has assigned one CVE to cover all the flaws in the firmware update driver, but this single CVE can be broken down to the following five separate flaws:

  • CVE-2021-21551: Local Elevation Of Privileges #1 – Memory corruption
  • CVE-2021-21551: Local Elevation Of Privileges #2 – Memory corruption
  • CVE-2021-21551: Local Elevation Of Privileges #3 – Lack of input validation
  • CVE-2021-21551: Local Elevation Of Privileges #4 – Lack of input validation
  • CVE-2021-21551: Denial Of Service – Code logic issue

A collection of five flaws, collectively tracked as CVE-2021-21551, have been discovered in DBUtil, a driver from that Dell machines install and load during the BIOS update process and is unloaded at the next reboot.

Who and how was this found?

Kasif Dekel, a security researcher at cybersecurity company SentinelOne did a series of investigation and found that it can be exploited “to escalate privileges from a non-administrator user to kernel mode privileges.” Code from an attacker running with this level of permissions would have unrestricted access to all hardware available on the system, including referencing any memory address.

The most critical problem with the firmware update driver arises that accepts IOCTL (Input/Output Control) requests without any ACL requirements.

Security Advisory by Dell:

Dell has prepared a security advisory for this vulnerability. The remedy is a fixed driver but the researcher says that at the moment of writing the report the company had not revoked the certificate for the vulnerable driver, meaning that an adversary on the network can still use it in an attack.

SentinelOne said the following “An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement” 

The Researcher and team have published a video to show that a vulnerable DBUtil driver can be exploited to achieve local privilege escalation on a target system.

Conclusion:

It is very important for all the Dell Customers and Enterprise units to update the patch with immediate effect! A stitch in time saves nine!