Yesterday, infosec analysis agency SentinelLabs revealed 12-year-old flaws in Dell’s firmware updater, DBUtil 2.3. The susceptible firmware updater has been put in by default on a whole lot of thousands and thousands of Dell methods since 2009.
The 5 high-severity flaws SentinelLabs found and reported to Dell lurk within the
dbutil_2_3.sys module, and so they have been rounded up underneath a single CVE monitoring quantity, CVE-2021-21551. There are two memory-corruption points and two lack of enter validation points, all of which might result in native privilege escalation and a code logic problem which may result in a denial of service.
A hypothetical attacker abusing these vulnerabilities can escalate the privileges of one other course of or bypass safety controls to put in writing on to system storage. This affords a number of routes to the last word objective of native kernel-level entry—a step even greater than Administrator or “root” entry—to all the system.
This isn’t a distant code execution vulnerability—an attacker sitting internationally and even throughout the espresso store can not use it on to compromise your system. The foremost danger is that an attacker who will get an unprivileged shell through another vulnerability can use an area privilege escalation exploit like this one to bypass safety controls.
Since SentinelLabs notified Dell in December 2020, the corporate has provided documentation of the failings and mitigation directions which, for now, boil right down to “take away the utility.” A replacement driver can also be out there, and it must be robotically put in on the subsequent firmware replace verify on affected Dell methods.
SentinelLabs’ Kasif Dekel was at the very least the fourth researcher to find and report this problem, following CrowdStrike’s Satoshi Tanda and Yarden Shafir and IOActive’s Enrique Nissim. It isn’t clear why Dell wanted two years and three separate infosec corporations’ reviews to patch the difficulty—however to paraphrase CrowdStrike’s Alex Ionescu above, what issues most is that Dell’s customers will lastly be protected.