Skip to content
5 high-severity security flaws in Dell’s firmware update driver are impacting potentially 100s of millions of Dell desktops, laptops, notebooks & tablets, researchers have revealed.
The privilege-escalation bug remained hidden for 12 years & has been present in all Dell PCs, tablets & notebooks shipped since 2009.
The bugs could allow the ability to bypass security products, execute code & pivot to other parts of the network for lateral movement, according to Sentinel Labs.
Dell BIOS Utility
The many local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, & it comes pre-installed on most Dell machines running Windows.
“100s of millions of Dell devices have updates pushed on a regular basis, for both consumer & enterprise systems,” according to Sentinel Labs researchers, writing in a Tuesday blog posting.
The 5 bugs are collectively tracked as CVE-2021-21551, & they carry a CVSS vulnerability-severity rating of 8.8 out of 10.
Privilege Escalation
Researchers reported that the flaws allow adversaries to escalate their status from non-administrator user to having kernel-mode privileges.
The 5 bugs are:
- LPE No. 1, due to memory corruption
- LPE No 2, also due to memory corruption
- LPE No. 3, due to a lack of input validation
- LPE No. 4, also due to a lack of input validation
- Denial of service flaw, due to a code-logic issue
Firmware Update Driver
Sentinel Labs researchers said they are withholding a proof-of-concept (PoC) exploit until Jun. 1, which will be for the LPE No. 1 issue. However, they did break down some general issues with the driver.
“The 1st & most immediate problem with the firmware update driver arises out of the fact that it accepts input/output control (IOCTL) requests without any [access-control list] ACL requirements,” explains the posting.
“That means that it can be invoked by a non-privileged user. Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges.”
Permit-&-Deny Rules
ACLs are a collection of permit-&-deny rules that provide security by blocking unauthorised users & allowing authorised users to access specific resources.
One example of the issues with this can be illustrated with IOCTL 0x9B0C1EC8. Using that request makes it possible to completely control the arguments passed to the “memmove” function, which allows the copying of memory blocks. This then leads to an arbitrary read/write vulnerability, researchers noted.
Exploitation Technique
“A classic exploitation technique for this vulnerability would be to overwrite the values of ‘present’ & ‘enabled’ in the token-privilege member inside the EPROCESS of the process whose privileges we want to escalate,” they explained. EPROCESS acts as the process object for a given routine.
Sentinel Labs also highlighted the issue in the driver that lies at the heart of LPEs No. 3 & 4: It is possible to run in/out (I/O) instructions in kernel mode with arbitrary operands, i.e., instructions that specify what data is to be manipulated or operated on.
“This is less trivial to exploit & might require using various creative techniques to achieve elevation of privileges,” they explained.
Successful Exploit
However, a successful exploit could allow attackers interact with peripheral devices such as the hard disk drive (HDD) or & GPU to either read/write directly to the disk or invoke direct memory access (DMA), which is used to read & write physical memory operations.
“For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process,” according to this analysis.
IOCTL
Researchers also discussed a 3rd problem unrelated to the IOCTL handler bugs: The driver file itself is located in C:\Windows\Temp, which opens the door to other issues.
“The classic way to exploit this would be to transform any bring-your-own vulnerable driver (BYOVD) into an elevation-of-privileges vulnerability since loading a (vulnerable) driver means you require administrator privileges, which essentially eliminates the need for a vulnerability,”
“Thus, using this side-noted vulnerability virtually means you can take any BYOVD to an elevation of privileges.”
Dell Driver Bugs
Dell has issued patches, available in Dell Security Advisory DSA-2021-088. However, Sentinel Labs noted a potential issue.
“Note that the certificate was not yet revoked (at the time of writing),” researchers said. “This is not considered best practice since the vulnerable driver can still be used in a BYOVD attack as mentioned earlier.”
The impact this could have on users & enterprises that fail to patch is “far reaching and significant,” according to the analysis, although so far no in-the-wild exploits have shown up.
It is very likely that will soon change, however: “With 100s of millions of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action,” researchers concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/
