Five serious vulnerabilities in a driver used by Dell devices have been disclosed by researchers.
On Tuesday, SentinelLabs said the vulnerabilities were discovered by security researcher Kasif Dekel, who explored Dell’s DBUtil BIOS driver — software used in the vendor’s desktop and laptop PCs, notebooks, and tablet products.
The team says that the driver has been vulnerable since 2009, although there is no evidence, at present, that the bugs have been exploited in the wild.
The DBUtil BIOS driver comes on many Dell machines running Windows and contains a component — the dbutil_2_3.sys module — which is installed and loaded on-demand by initiating the firmware update process and then unloaded after a system reboot — and this module was subject to Dekel’s scrutiny.
Dell has assigned one CVE (CVE-2021-21551), CVSS 8.8, to cover the five vulnerabilities disclosed by SentinelLabs.
Two are memory corruption issues in the driver, two are security failures caused by a lack of input validation, and one logic issue was found that could be exploited to trigger denial-of-service.
“These multiple critical vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges,” the researchers say.
The team notes that the most crucial issue in the driver is that access-control list (ACL) requirements, which set permissions, are not invoked during Input/Output Control (IOCTL) requests.
As drivers often operate with high levels of privilege, this means requests can be sent locally by non-privileged users.
“[This] can be invoked by a non-privileged user,” the researchers say. “Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused “by design.”
Functions in the driver were also exposed, creating read/write vulnerabilities usable to overwrite tokens and escalate privileges.
Another interesting bug was the possibility to use arbitrary operands to run IN/OUT (I/O) instructions in kernel mode.
“Since IOPL (I/O privilege level) equals to CPL (current privilege level), it is obviously possible to interact with peripheral devices such as the HDD and GPU to either read/write directly to the disk or invoke DMA operations,” the team noted. “For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process.”
“These critical vulnerabilities, which have been present in Dell devices since 2009, affect millions of devices and millions of users worldwide. As with a previous bug that lay in hiding for 12 years, it is difficult to overstate the impact this could have on users and enterprises that fail to patch.”
Proof-of-Concept (PoC) code is being withheld until June to allow users time to patch.
Dell was made aware of Dekel’s findings on December 1, 2020. Following triage and issues surrounding some fixes for end-of-life products, Dell worked with Microsoft and has now issued a fixed driver for Windows machines.
The PC giant has issued an advisory (DSA-2021-088) and a FAQ document containing remediation steps to patch the bugs. Dell has described the security flaw as “a driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools [which] contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure.”
“Local authenticated user access is first required before this vulnerability can be exploited,” Dell added.
“We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers,” a Dell spokesperson said. “We have seen no evidence this vulnerability has been exploited by malicious actors to date. We appreciate the researchers working directly with us to resolve the issue.”
Update 18.35 BST: Inclusion and improved clarity of the module’s loading process.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0