5 severe vulnerabilities in a driver employed by Dell equipment have been disclosed by scientists.
On Tuesday, SentinelLabs explained the vulnerabilities have been discovered by safety researcher Kasif Dekel, who explored Dell’s DBUtil BIOS driver — software program utilized in the vendor’s desktop and notebook PCs, notebooks, and tablet products.
The workforce claims that the driver has been vulnerable because 2009, even though there is no proof, at existing, that the bugs have been exploited in the wild.
The DBUtil BIOS driver arrives on quite a few Dell devices operating Home windows and contains a component — the dbutil_2_3.sys module — which is set up and loaded on-demand by initiating the firmware update method and then unloaded after a procedure reboot — and this module was matter to Dekel’s scrutiny.
Dell has assigned one CVE (CVE-2021-21551), CVSS 8.8, to protect the five vulnerabilities disclosed by SentinelLabs.
Two are memory corruption concerns in the driver, two are stability failures brought about by a absence of input validation, and just one logic challenge was uncovered that could be exploited to trigger denial-of-support.
“These numerous crucial vulnerabilities in Dell program could make it possible for attackers to escalate privileges from a non-administrator consumer to kernel mode privileges,” the researchers say.
The workforce notes that the most essential concern in the driver is that obtain-command list (ACL) necessities, which established permissions, are not invoked during Enter/Output Handle (IOCTL) requests.
As motorists generally work with significant levels of privilege, this usually means requests can be despatched locally by non-privileged customers.
“[This] can be invoked by a non-privileged user,” the researchers say. “Making it possible for any system to connect with your driver is often a negative exercise since drivers function with the maximum of privileges so, some IOCTL capabilities can be abused “by layout.”
Capabilities in the driver ended up also exposed, developing read/publish vulnerabilities usable to overwrite tokens and escalate privileges.
One more exciting bug was the probability to use arbitrary operands to operate IN/OUT (I/O) directions in kernel mode.
“Considering the fact that IOPL (I/O privilege level) equals to CPL (existing privilege degree), it is obviously feasible to interact with peripheral equipment this kind of as the HDD and GPU to possibly go through/write specifically to the disk or invoke DMA operations,” the workforce observed. “For illustration, we could talk with ATA port IO for specifically producing to the disk, then overwrite a binary that is loaded by a privileged approach.”
“These critical vulnerabilities, which have been existing in Dell products given that 2009, impact tens of millions of units and hundreds of thousands of people globally. As with a former bug that lay in hiding for 12 years, it is tricky to overstate the affect this could have on people and enterprises that fall short to patch.”
Proof-of-Principle (PoC) code is being withheld until finally June to let customers time to patch.
Dell was made mindful of Dekel’s findings on December 1, 2020. Adhering to triage and issues encompassing some fixes for stop-of-lifetime merchandise, Dell labored with Microsoft and has now issued a fixed driver for Home windows equipment.
The Computer giant has issued an advisory (DSA-2021-088) and a FAQ document that contains remediation measures to patch the bugs. Dell has explained the stability flaw as “a driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility deals and software program resources [which] incorporates an inadequate access command vulnerability which may guide to escalation of privileges, denial of service, or information and facts disclosure.”
“Neighborhood authenticated consumer obtain is first needed just before this vulnerability can be exploited,” Dell included.
“We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting specific Windows-dependent Dell personal computers,” a Dell spokesperson stated. “We have noticed no evidence this vulnerability has been exploited by destructive actors to date. We value the researchers functioning right with us to solve the issue.”
Update 18.35 BST: Inclusion and enhanced clarity of the module’s loading process.
Former and related coverage
Have a idea? Get in contact securely by means of WhatsApp | Sign at +447713 025 499, or about at Keybase: charlie0