Dell devices are being affected by the Five high-severity security flaws which are there in Dell’s firmware update driver. These devices include Dell desktops, laptops, notebooks, and tablets, researchers said. And they are impacting hundreds of millions of devices. These bugs remained unseen for a pretty long time of 12 years.
According to SentinelLabs, they have the ability to pass security restrictions. With that, they can also accomplish codes and revolve to other parts of the network for lateral movement or for causing more malicious effects.
SentinelLabs researchers posted a blog on Tuesday and addressed this situation regarding dell issues. It was further reported that the multiple local privilege escalation (LPE) bugs are present in the firmware update driver version 2.3 (dbutil_2_3.sys) module. It is in use since 2009. The driver component deals with the Dell firmware updates. It happened through the Dell BIOS Utility. It come already installed in Dell devices running windows.
The post further said;
“Hundreds of millions of Dell devices have updates pushed on a regular basis, for both consumer and enterprise systems;”
These five vulnerabilities are CVE-2021-21551, and they have a CVSS vulnerability-severity rating of 8.8 out of 10. Researchers reported that these vulnerabilities have the ability to allow attackers to escalate non-administrator users to having root privileges.
According to SentinelLabs researchers they have been working on a proof-of-concept (PoC) exploit to explain the vulnerability in action until June 1. They mention however they didn’t break down some general issues with the driver.
“The first and most immediate problem with the firmware update driver arises out of the fact that it accepts input/output control (IOCTL) requests without any [access-control list] ACL requirements,” according to the posting. “That means that it can be invoked by a non-privileged user. Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges.”
The five vulnerabilities are:
- LPE No. 1, due to memory corruption
- LPE No 2, also due to memory corruption
- LPE No. 3, due to a lack of input validation
- LPE No. 4, also due to a lack of input validation
- Denial of service flaw, due to a code-logic issue
ACLs are a set of permit-and-deny regulations and rules that are set out to ensure security through blocking unauthorized users and permitting authorized users to have an access to specific resources. For example;
An illustration with IOCTL 0x9B0C1EC8. It is possible to completely control the arguments passed to the “memmove” function by using this request. It permits the copying of memory blocks. Which ultimately results, in turn, leads to an arbitrary read/write vulnerability.
They further clarified;
“A classic exploitation technique for this vulnerability would be to overwrite the values of ‘present’ and ‘enabled’ in the token-privilege member inside the EPROCESS of the process whose privileges we want to escalate,”
EPROCESS behaves as the process object for a provided routine. SentinelLabs also highlighted the issue in the driver that’s at the heart of LPEs No. 3 and 4: It’s possible to run in/out (I/O) instructions in kernel mode with arbitrary operands, the instructions specify the data manipulation or operation.
Through the successful exploitation hackers could peripheral devices such as the hard disk drive (HDD) or and GPU to either read/write directly to the disk or invoke direct memory access (DMA), which is for reading and writing physical memory operations.
“This is less trivial to exploit and might require using various creative techniques to achieve elevation of privileges. For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process.”
There is also a third problem that is not related to IOCTL handler bugs. The driver file itself is located in C:\Windows\Temp, which opens the door to other issues. The posting clarified;
“The classic way to exploit this would be to transform any bring-your-own vulnerable driver (BYOVD) into an elevation-of-privileges vulnerability since loading a (vulnerable) driver means you require administrator privileges, which essentially eliminates the need for a vulnerability, Thus, using this side-noted vulnerability virtually means you can take any BYOVD to an elevation of privileges.”
Dell has issued patches, available in Dell Security Advisory DSA-2021-088. However, SentinelLabs noted a potential issue. The impact this could have on users and enterprises that fail to patch is “far-reaching and significant,” according to the analysis, although so far no in-the-wild exploits have shown up.
However, it is hoped that this would change. The researchers said;
“With hundreds of millions of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action.”