Major vulnerabilities in Dell’s firmware update driver have been found that can let attackers access kernel-level code by escalating privileges using other flaws. While the flaws in themselves do not risk allowing remote code execution, it still is a major problem that affects drivers shipped with millions of Dell PCs from more than a decade ago.
Research firm SentinelLabs reported the vulnerability to Dell back in December last year and have posted a detailed blog with all the information. Additionally, Alex Ionescu from Crowdstike says that it took “3 separate companies over [a] span of 2 years” till a fix was put into place.
Awesome blog post (https://t.co/IlMbbN2ow5) by @kasifdekel over at @SentinelOne on multiple vulnerabilities in a Dell driver that @standa_t and @yarden_shafir first found found back in 2019 at @CrowdStrike as well as @kiqueNissim over at @IOActive, with @kasifdekel shortly after.— Alex Ionescu (@aionescu) May 4, 2021
The research firm notes that there are five flaws in a single CVE assigned by Dell, which include two memory corruption issues, two lack of input validation issues, and a code logic issue that can lead to a DDoS (Denial of Service) attack. The problem exists in the ‘dbutil_2_3.sys’ driver that is used in multiple firmware update tools for Dell and Alienware systems, including for BIOS updates. The issues are tracked under CVE-2021-21551. The blog post details the technical issues along with a video of a proof of concept, for those interested.
Dell has released a Security Advisory (DSA-2021-088) for the vulnerability and has made available the updated packages for Windows which can be manually downloaded from here. Alternatively, the firmware drivers will also be available via the various Dell notification systems that will automatically pull the updated bits on Windows 10 devices from May 10. However, supported PCs running Windows 7 and 8.1 will only receive them on July 31.
The company has recommended a few steps that are to be taken by customers and enterprises to mitigate the risks posed by the flaws. This includes removing the ‘dbutil_2_3.sys’ driver from the PC and updating the driver manually, or waiting for the updated tools with the updated driver to be automatically downloaded. To remove the troublesome driver, the company recommends one of these two options:
- Option 1 (Recommended): Download and run the Dell Security Advisory Update – DSA-2021-088 utility.
- Option 2: Manually remove the vulnerable dbutil_2_3.sys driver:
- Step A: Check the following locations for the dbutil_2_3.sys driver file
- Step B: Select the dbutil_2_3.sys file and hold down the SHIFT key while pressing the DELETE key to permanently delete.
The PC maker has also provided a table that lists all the supported platforms and products which will receive the patched driver. You can view the entire list mentioned in Table A here.
SentinelLabs says that it does not have any indicators to suggest that the vulnerabilities have been exploited in the wild yet. Regardless, considering that the firmware update driver is present on “hundreds of millions” of PCs spanning more than a decade, it is best for enterprises and consumers to take note and update their devices to avoid any issues.
Thanks, Warwagon for the tip!