Hundreds of millions of Dell devices are vulnerable to firmware update driver flaws that could potentially be exploited to achieve remote code execution. The vulnerabilities were identified by security researchers at SentinelOne, and have been present in Dell laptops, desktops, and tablets since 2009.
The five vulnerabilities have been combined under a single CVE tracking number – CVE-2021-21551 – which has been assigned a CVSS v3 base score of 8.8 out of 10. The vulnerabilities are all high severity and affect the DBUtil driver that machines install and load during the BIOS update process, and then unload at the next reboot.
Two flaws are memory corruption vulnerabilities, two concern a lack of input validation, and the last is a code logic issue. The latter could be exploited in a denial of service attack, and the other four allow local elevation of privileges. They could be exploited by a threat actor to escalate privileges from a non-administrator user to provide kernel-level privileges. With the elevated privileges an attacker would have unrestricted access to all hardware on the system, including referencing any memory address. That means it would be possible for an attacker to install malware and gain persistence on a system.
The vulnerabilities are not rated critical as they cannot be exploited remotely. Before the flaws can be exploited, an attacker would need authenticated access to a device. It would be possible to exploit the flaws remotely if access is gained through malware, a phishing attack, or if a user granted an attacker access to their device – such as providing remote access to an attacker in a tech support scam for instance.
SentinelOne said there is no indication that any of the vulnerabilities have been exploited in the wild. Dell has released an updated driver to correct the flaw and SentinelOne will withhold publication of proof-of-concept code until June 1, 2021 to allow sufficient time for the driver to be updated.
It should be noted that the signing certificate for the old driver has not been revoked, which means the driver could still be exploited in an attack, if uploaded by an attacker.
“An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement,” said SentinelOne.