Better Late than Never: Following the discovery of five major flaws in one of its drivers, which has been in use for over 10 years, Dell has released a patch.
Researchers have just discovered five serious vulnerabilities in a driver that has been used by Dell devices for more than a decade. Cyber security firm SentinelLabs said on Tuesday it discovered the vulnerabilities thanks to security researcher Kasif Dekel, who explored Dell's DBUtil BIOS driver - software used in the vendor's desktops and laptops, laptops and tablets. The team says the pilot has been vulnerable since 2009, although there is no evidence, at this time, that the loopholes have been exploited in the wild.
The DBUtil BIOS driver, which comes preinstalled on many Dell machines running Windows, contains a component - the dbutil_2_3.sys module - that has been the subject of researcher's scrutiny. Dell has assigned a CVE (CVE-2021-21551), CVSS 8.8, to cover the five vulnerabilities revealed by SentinelLabs. Two of these vulnerabilities are memory corruption issues in the driver, two are security vulnerabilities caused by lack of validation of inputs, and a logical problem has been found that could be exploited to trigger a denial of service.
"These multiple critical vulnerabilities in Dell software could allow attackers to escalate the privileges of a non-administrator user to kernel-mode privileges," say researchers at SentinelLabs. The team notes that the most crucial issue in the pilot is that access control list (ACL) requirements, which define permissions, are not invoked during entry / exit control requests (IOCTLs). .
High levels of privilegeSince drivers often operate with high levels of privilege, this means that requests can be sent locally by unprivileged users. "[This] can be invoked by an unprivileged user," the researchers say. “Allowing any process to communicate with your pilot is often bad practice, as pilots operate with the highest privileges; thus, some IOCTL functions can be abused "on purpose". "
Driver functions were also exposed, creating read / writes vulnerabilities that could be used to override tokens and escalate privileges. Another interesting bug concerns the possibility of using arbitrary operands to execute IN / OUT (I / O) instructions in kernel mode.
“Since the IOPL privilege level (I / O privilege level) is equal to the CPL privilege level (current privilege level), it is obviously possible to interact with peripherals like the hard disk and the GPU to read / write directly on disk or invoke DMA operations, ”the team notes. “For example, we could communicate with the ATA IO port to write directly to disk, and then overwrite a binary loaded by a privileged process. "
Dell publishes a corrected driver
“These critical vulnerabilities, which have been present in Dell devices since 2009, affect millions of devices and millions of users around the world. As with a previous vulnerability that was hidden for 12 years, it's hard to overestimate the impact this could have on users and businesses that don't patch. The proof of concept (PoC) code is being held until June in order to give users time to apply the fixes,”commented SentinelLabs.
Dell has been informed of the findings of Kasif Dekel on 1st December 2020. Following the sorting and problems surrounding some fixes for end of life products, Dell has worked with Microsoft and has now published a corrected driver for Windows machines.
The computer giant has published an advisory (DSA-2021-088) and an FAQ document containing remedial steps to fix the bugs. Dell describes the security vulnerability as "a driver (dbutil_2_3.sys) included with the Firmware Update Utilities and Dell Client Software Tools [which] contains an insufficient access control vulnerability which may lead to an elevation of privileges, a denial of service or a disclosure of information. Authenticated local user access is first required before this vulnerability can be exploited”.
"We have addressed a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting some Dell computers running Windows," said a spokesperson for Dell. “We have not seen any evidence that this vulnerability has been exploited by malicious actors to date. We appreciate that the researchers are working directly with us to resolve the issue. "