The privilege-escalation bug remained hidden for 12 years and has been present in all Dell PCs, tablets and notebooks shipped due to the fact 2009.
Five high-severity security flaws in Dell’s firmware update driver are impacting likely hundreds of hundreds of thousands of Dell desktops, laptops, notebooks and tablets, scientists stated.
The bugs have long gone undisclosed for 12 a long time, and could enable the capability to bypass security solutions, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.
The several local privilege-escalation (LPE) bugs exist in the firmware update driver edition 2.3 (dbutil_2_3.sys) module, which has been in use considering the fact that 2009. The driver ingredient handles Dell firmware updates through the Dell BIOS Utility, and it will come pre-installed on most Dell devices running Windows.
“Hundreds of tens of millions of Dell equipment have updates pushed on a frequent foundation, for the two client and company programs,” according to SentinelLabs scientists, composing in a Tuesday website publishing.
The five bugs are collectively tracked as CVE-2021-21551, and they have a CVSS vulnerability-severity rating of 8.8 out of 10.
Privilege Escalation to Kernel-Method
Scientists reported that the flaws enable adversaries to escalate their status from non-administrator consumer to obtaining kernel-manner privileges.
The five bugs specifically are:
- LPE No. 1, because of to memory corruption
- LPE No 2, also due to memory corruption
- LPE No. 3, owing to a absence of input validation
- LPE No. 4, also owing to a lack of input validation
- Denial of company flaw, thanks to a code-logic issue
SentinelLabs scientists said they’re withholding a evidence-of-concept (PoC) exploit till June 1, which will be for the LPE No. 1 issue. Nonetheless, they did break down some general issues with the driver.
“The 1st and most speedy dilemma with the firmware update driver arises out of the simple fact that it accepts input/output manage (IOCTL) requests without the need of any [access-control list] ACL specifications,” in accordance to the posting. “That indicates that it can be invoked by a non-privileged user. Allowing for any system to converse with your driver is normally a lousy follow due to the fact motorists operate with the maximum of privileges.”
ACLs are a assortment of permit-and-deny guidelines that present security by blocking unauthorized end users and letting licensed people to accessibility precise sources.
An instance of the issues with this can be illustrated with IOCTL 0x9B0C1EC8. Making use of that ask for will make it probable to completely control the arguments passed to the “memmove” functionality, which makes it possible for the copying of memory blocks. This in convert prospects to an arbitrary read/produce vulnerability, scientists famous.
“A basic exploitation technique for this vulnerability would be to overwrite the values of ‘present’ and ‘enabled’ in the token-privilege member within the EPROCESS of the procedure whose privileges we want to escalate,” they stated. EPROCESS functions as the process item for a offered schedule.
SentinelLabs also highlighted the issue in the driver that is at the coronary heart of LPEs No. 3 and 4: It is possible to run in/out (I/O) guidelines in kernel mode with arbitrary operands, i.e., recommendations that specify what information is to be manipulated or operated on.
“This is a lot less trivial to exploit and could possibly have to have applying several inventive methods to reach elevation of privileges,” they defined. Nevertheless, a profitable exploit could let attackers to interact with peripheral gadgets these kinds of as the hard disk generate (HDD) or and GPU to both examine/produce immediately to the disk or invoke direct memory accessibility (DMA), which is employed to read through and create physical memory functions.
“For example, we could communicate with ATA port IO for right writing to the disk, then overwrite a binary that is loaded by a privileged approach,” according to the assessment.
Researchers also discussed a third difficulty unrelated to the IOCTL handler bugs: The driver file by itself is positioned in C:WindowsTemp, which opens the door to other issues.
“The traditional way to exploit this would be to rework any bring-your-have susceptible driver (BYOVD) into an elevation-of-privileges vulnerability considering the fact that loading a (susceptible) driver indicates you need administrator privileges, which essentially eradicates the will need for a vulnerability,” according to the putting up. “Thus, utilizing this aspect-mentioned vulnerability just about usually means you can just take any BYOVD to an elevation of privileges.”
How to Remediate Dell Driver Bugs
Dell has issued patches, available in Dell Security Advisory DSA-2021-088. On the other hand, SentinelLabs observed a possible issue.
“Note that the certification was not still revoked (at the time of writing),” scientists reported. “This is not viewed as best observe since the susceptible driver can continue to be utilized in a BYOVD attack as stated earlier.”
The impression this could have on end users and enterprises that are unsuccessful to patch is “far achieving and sizeable,” according to the investigation, even though so considerably no in-the-wild exploits have revealed up.
“With hundreds of million of enterprises and customers currently susceptible, it is unavoidable that attackers will look for out these that do not get the appropriate motion,” scientists mentioned.
Be a part of Threatpost for “Fortifying Your Enterprise Towards Ransomware, DDoS & Cryptojacking Attacks” – a Reside roundtable occasion on Wed, May possibly 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an professional panel discussing greatest defense tactics for these 2021 threats. Concerns and Dwell audience participation inspired. Be a part of the lively discussion and Register HERE for free.
Some elements of this report are sourced from: