10 with 10 posters participating
Yesterday, infosec research firm SentinelLabs revealed 12-year-old flaws in Dell’s firmware updater, DBUtil 2.3. The vulnerable firmware updater has been installed by default on hundreds of millions of Dell systems since 2009.
The five high-severity flaws SentinelLabs discovered and reported to Dell lurk in the
dbutil_2_3.sys module, and they have been rounded up under a single CVE tracking number, CVE-2021-21551. There are two memory-corruption issues and two lack of input validation issues, all of which can lead to local privilege escalation and a code logic issue which could lead to a denial of service.
A hypothetical attacker abusing these vulnerabilities can escalate the privileges of another process or bypass security controls to write directly to system storage. This offers multiple routes to the ultimate goal of local kernel-level access—a step even higher than Administrator or “root” access—to the entire system.
provided documentation of the flaws and mitigation instructions which, for now, boil down to “remove the utility.” A replacement driver is also available, and it should be automatically installed at the next firmware update check on affected Dell systems.
SentinelLabs’ Kasif Dekel was at least the fourth researcher to discover and report this issue, following CrowdStrike’s Satoshi Tanda and Yarden Shafir and IOActive’s Enrique Nissim. It’s not clear why Dell needed two years and three separate infosec companies’ reports to patch the issue—but to paraphrase CrowdStrike’s Alex Ionescu above, what matters most is that Dell’s users will finally be protected.