Kernel-Privilege Vulnerabilities found in Dell Systems

Security Vulnerabilities found in Dell Systems

There are currently five severe security bugs in the firmware update driver of Dell computers that could potentially be present in hundreds of millions of machines, including Dell laptops, notebooks, tablets, and desktops.

Image 1024x303

Apparently, the recently reported bugs have been around for 12 years and could be used to infiltrate the affected systems, remotely launch malware code, and exploit the infected device to laterally spread the malware to other systems connected to the same network.

The discovered bugs are categorized as local privilege-escalation bugs (LPE) and are present in version 2.3 (dbutil_2_3.sys) of the firmware driver, which has been around since 2009. Dell firmware updates are handled by the driver via the Dell BIOS, and it is pre-installed on most Dell computers that run on Windows.

According to the researchers at SentinelLabs, hundreds of millions of Dell machines get automatically updated regularly, using the firmware update driver.

The collective name of the five flaws is CVE-2021-21551 and the rating of their severity is 8.8 out of a maximum of 10.

Kernel-Mode Privileges

According to the security specialists, the five bugs can allow attackers to gain kernel-mode permissions in the attacked Dell machine.

Specifically, the five bugs are:

  • LPE No. 1, is caused by memory corruption
  • LPE No 2, also is a memory corruption bug
  • LPE No. 3, is caused by lack of input validation
  • LPE No. 4, is another lack of input validation bug
  • The fifth bug is a denial of service one caused by an issue in the code logic.

For the time being (until the 1st of June), SentinelLabs will be withholding their proof-of-concept exploit which is for the first one of the bugs, the LPE No. 1. That said, the researchers still gave some additional details about the problems with the driver.

According to them, the first problem is that the update driver doesn’t have any access-control list (ACL) requirements when accepting input/output control requests. Because of this, a user without kernel privileges could still invoke it which, in turn, could allow any process to establish communication with the driver. This is a problem because drivers have the highest privileges when operating.

The purpose of ACLs is to block non-privileged users from accessing certain sensitive resources. One example of the problem with the lack of ACL is with IOCTL 0x9B0C1EC8. When the request is used, it becomes possible to control the “memmove” function arguments and this allows memory blocks to be copied. In turn, this could result in the arbitrary read/write vulnerability.

A common technique for exploiting this flaw is to manipulate the “present” and “enabled” values within the EPROCESS token-privilege of the process that is supposed to have its privileges escalate.

Another important problem that the SentinelLabs researchers pointed out is the problem with the driver itself – this is the core of the No. 3 and 4 LPE flaws. According to the report, one could run in/out instructions while in kernel mode with instructions specifying the type of data will be operated on or manipulated. 

The researchers note that exploiting this is more difficult, and it would require that the attackers come up with advanced ways of gaining elevated privileges. That said, if the flaw is exploited successfully, it could enable the hackers to control peripheral devices (for example, the HDD or the GPU of the attacked computer). This, in turn, could allow the attackers to directly read/write to the hard disk or to trigger DMA (direct memory access).

An example given by the researchers is that they could establish communication with the ATA port and directly write to the disk. Then they could overwrite a privileged process binary.

A third problem is also pointed out in the report – one that is not related to the IOCTL flaws. According to the security specialists, the fact that the driver file’s location is in C:\Windows\Temp could potentially cause further problems.

A possible way this could be exploited is by transforming a bring-your-own-vulnerable driver into a vulnerability of the elevation-of-privileges type. This is because, to load a vulnerable drive, one needs to have admin privileges, in which case there wouldn’t be any need for a vulnerability to begin with.

Are the Flaws Fixed?

Dell has already developed and released patches that resolve those issues – more information can be found here.

However, according to SentinelLabs, there might be a possible issue with the released fix. The researchers point out that, at the time of writing, the certificate is yet to be revoked. The problem with this is that the vulnerable driver could still potentially be exploited in a BYOVD-type attack (as was explained above)

The researchers explain that the significance of those flaws and the potential consequences it could have for users and companies that fail to install the latest patch that fixes it could be severe. Still, it must be mentioned that, thus far, there haven’t been any reports of those bugs getting exploited in the wild.

However, it is expected that this will change sooner than later. Since currently there are hundreds of millions of vulnerable users, companies, and organizations, it is virtually inevitable that cybercriminals would attempt to exploit those vulnerabilities on the systems of those who have not yet taken the necessary action to patch them out.

About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment