Vulnerable Dell driver puts hundreds of millions of systems at risk

Privilege escalation on Dell systems via DBUtil driver

A driver that’s been pushed for the past 12 years to Dell computer devices for consumers and enterprises contains multiple vulnerabilities that could lead to increased privileges on the system.

It is estimated that hundreds of millions of Dell computers, from desktops and laptops to tablets, received the vulnerable driver through BIOS updates.

Five flaws in one

A collection of five flaws, collectively tracked as CVE-2021-21551, have been discovered in DBUtil, a driver from that Dell machines install and load during the BIOS update process and is unloaded at the next reboot.

Looking closer at the DBUtil driver, Kasif Dekel, a security researcher at cybersecurity company Sentinel One, found that it can be exploited “to escalate privileges from a non-administrator user to kernel mode privileges.”

Code from an attacker running with this level of permissions would have unrestricted access to all hardware available on the system, including referencing any memory address.

This type of vulnerability is not considered critical because an attacker exploiting it needs to have compromised the computer beforehand. However, it allows threat actors and malware to gain persistence on the infected system.

Although there is a single tracking number, Dekel says that there are five separate flaws, most of them leading to privilege escalation and one code logic issue that leads to denial of service.

CVE-2021-21551 Local Elevation Of Privileges  Memory corruption
CVE-2021-21551 Local Elevation Of Privileges Memory corruption
CVE-2021-21551 Local Elevation Of Privileges Lack of input validation
CVE-2021-21551 Local Elevation Of Privileges Lack of input validation
CVE-2021-21551 Denial of Service Code logic issue

The researcher provides technical information in a blog post today but holds back the details for triggering and exploiting the flaws to give users time to apply the patch. He plans to share proof-of-concept exploit code on June 1st.

Dekel says that Dell has prepared a security advisory for this vulnerability. The remedy is a fixed driver but the researcher says that at the moment of writing the report the company had not revoked the certificate for the vulnerable driver, meaning that an adversary on the network can still use it in an attack.

“An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement” – Sentinel One

Despite the longevity of the vulnerable DBUtil driver and the large number of potential victims, Sentinel One says that they have not seen any indicators about these vulnerabilities being exploited in the wild. However, this may soon change.

The company has published a video to show that a vulnerable DBUtil driver can be exploited to achieve local privilege escalation on a target system.

[embedded content]


Source: BleepingComputer

Leave a Reply