Hundreds of Millions of Dell Users at Risk from Kernel-Privilege Bugs

dell security flaw

The privilege-escalation bug remained hidden for 12 years and has been present in all Dell PCs, tablets and notebooks shipped since 2009.

Five high-severity security flaws in Dell’s firmware update driver are impacting potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets, researchers said.

The bugs have gone undisclosed for 12 years, and could allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.

The multiple local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, and it comes pre-installed on most Dell machines running Windows.

“Hundreds of millions of Dell devices have updates pushed on a regular basis, for both consumer and enterprise systems,” according to SentinelLabs researchers, writing in a Tuesday blog posting.

The five bugs are collectively tracked as CVE-2021-21551, and they carry a CVSS vulnerability-severity rating of 8.8 out of 10.

Privilege Escalation to Kernel-Mode

Researchers reported that the flaws allow adversaries to escalate their status from non-administrator user to having kernel-mode privileges.

The five bugs specifically are:

  • LPE No. 1, due to memory corruption
  • LPE No 2, also due to memory corruption
  • LPE No. 3, due to a lack of input validation
  • LPE No. 4, also due to a lack of input validation
  • Denial of service flaw, due to a code-logic issue

SentinelLabs researchers said they’re withholding a proof-of-concept (PoC) exploit until June 1, which will be for the LPE No. 1 issue. However, they did break down some general issues with the driver.

“The first and most immediate problem with the firmware update driver arises out of the fact that it accepts input/output control (IOCTL) requests without any [access-control list] ACL requirements,” according to the posting. “That means that it can be invoked by a non-privileged user. Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges.”

ACLs are a collection of permit-and-deny rules that provide security by blocking unauthorized users and allowing authorized users to access specific resources.

An example of the issues with this can be illustrated with IOCTL 0x9B0C1EC8. Using that request makes it possible to completely control the arguments passed to the “memmove” function, which allows the copying of memory blocks. This in turn leads to an arbitrary read/write vulnerability, researchers noted.

“A classic exploitation technique for this vulnerability would be to overwrite the values of ‘present’ and ‘enabled’ in the token-privilege member inside the EPROCESS of the process whose privileges we want to escalate,” they explained. EPROCESS acts as the process object for a given routine.

SentinelLabs also highlighted the issue in the driver that’s at the heart of LPEs No. 3 and 4: It’s possible to run in/out (I/O) instructions in kernel mode with arbitrary operands, i.e., instructions that specify what data is to be manipulated or operated on.

“This is less trivial to exploit and might require using various creative techniques to achieve elevation of privileges,” they explained. However, a successful exploit could allow attackers to interact with peripheral devices such as the hard disk drive (HDD) or and GPU to either read/write directly to the disk or invoke direct memory access (DMA), which is used to read and write physical memory operations.

“For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process,” according to the analysis.

Researchers also discussed a third problem unrelated to the IOCTL handler bugs: The driver file itself is located in C:\Windows\Temp, which opens the door to other issues.

“The classic way to exploit this would be to transform any bring-your-own vulnerable driver (BYOVD) into an elevation-of-privileges vulnerability since loading a (vulnerable) driver means you require administrator privileges, which essentially eliminates the need for a vulnerability,” according to the posting. “Thus, using this side-noted vulnerability virtually means you can take any BYOVD to an elevation of privileges.”

How to Remediate Dell Driver Bugs

Dell has issued patches, available in Dell Security Advisory DSA-2021-088. However, SentinelLabs noted a potential issue.

“Note that the certificate was not yet revoked (at the time of writing),” researchers said. “This is not considered best practice since the vulnerable driver can still be used in a BYOVD attack as mentioned earlier.”

The impact this could have on users and enterprises that fail to patch is “far reaching and significant,” according to the analysis, although so far no in-the-wild exploits have shown up.

It’s very likely that will soon change, however: “With hundreds of million of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action,” researchers said.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.  

Suggested articles