Severe vulnerabilities in Dell firmware update driver found and fixed
privilege escalation —
Dell firmware update driver 2.3 can be exploited to gain kernel-level privilege.
Yesterday, infosec research firm SentinelLabs revealed 12-year-old flaws in Dell’s firmware updater, DBUtil 2.3. The vulnerable firmware updater has been installed by default on hundreds of millions of Dell systems since 2009.
The five high-severity flaws SentinelLabs discovered and reported to Dell lurk in the
dbutil_2_3.sys module, and they have been rounded up under a single CVE tracking number, CVE-2021-21551. There are two memory-corruption issues and two lack of input validation issues, all of which can lead to local privilege escalation and a code logic issue, which could lead to a denial of service.
A hypothetical attacker abusing these vulnerabilities can escalate the privileges of another process or bypass security controls to write directly to system storage. This offers multiple routes to the ultimate goal of local kernel-level access—a step even higher than Administrator or “root” access—to the entire system.
This is not a remote code execution vulnerability—an attacker sitting across the world or even across the coffee shop cannot use it directly to compromise your system. The major risk is that an attacker who gets an unprivileged shell via some other vulnerability can use a local privilege escalation exploit like this one to bypass security controls.
Since SentinelLabs notified Dell in December 2020, the company has provided documentation of the flaws and mitigation instructions which, for now, boil down to “remove the utility.” A replacement driver is also available, and it should be automatically installed at the next firmware update check on affected Dell systems.
SentinelLabs’ Kasif Dekel was at least the fourth researcher to discover and report this issue, following CrowdStrike’s Satoshi Tanda and Yarden Shafir and IOActive’s Enrique Nissim. It’s not clear why Dell needed two years and three separate infosec companies’ reports to patch the issue—but to paraphrase CrowdStrike’s Alex Ionescu above, what matters most is that Dell’s users will finally be protected.