BIOS PrivEsc Bugs Affect Hundreds of Millions of Dell PCs Worldwide

PC maker Dell has issued an update to fix multiple critical privilege escalation vulnerabilities that went undetected since 2009, potentially allowing attackers to gain kernel-mode privileges and cause a denial-of-service condition.

The issues, reported to Dell by researchers from SentinelOne on Dec. 1, 2020, reside in a firmware update driver named “dbutil_2_3.sys” that comes pre-installed on its devices. Hundreds of millions of desktops, laptops, notebooks, and tablets manufactured by the company are said to be vulnerable.

“Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service, or information disclosure. Local authenticated user access is required,” Dell said in an advisory.

All five separate flaws have been assigned the CVE identifier CVE-2021-21551 with a CVSS score of 8.8. A breakdown of the shortcomings is as follows -

• CVE-2021-21551: Local Elevation Of Privileges #1 – Memory corruption
• CVE-2021-21551: Local Elevation Of Privileges #2 – Memory corruption
• CVE-2021-21551: Local Elevation Of Privileges #3 – Lack of input validation
• CVE-2021-21551: Local Elevation Of Privileges #4 – Lack of input validation
• CVE-2021-21551: Denial Of Service – Code logic issue

“The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode,” SentinelOne Senior Security Researcher Kasif Dekel noted in a Tuesday analysis. “Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products.”

Since these are local privilege escalation bugs, they are unlikely to be exploited remotely over the internet. To carry out an attack, an adversary will need to have gained access to a non-administrator account on a vulnerable system, following which the driver vulnerability can be abused to gain local elevation of privilege. Armed with this access, the attacker can then leverage other techniques to execute arbitrary code and laterally move across an organization’s network.

Although no evidence of in-the-wild abuse has been detected, SentinelOne said it plans to release the proof-of-concept (PoC) code on June 1, 2021, giving Dell customers ample time to remediate the vulnerability.

SentinelOne’s disclosure is the third time the same issue has been reported to Dell over the last two years, according to Crowdtrike’s Chief Architect Alex Ionescu, first by the Sunnyvale-based cybersecurity firm in 2019 and again by IOActive. Dell also credited Scott Noone of OSR Open Systems Resources with reporting the vulnerability.

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.