Dell has issued an advisory to patch five high-severity zero-day vulnerabilities that have gone undetected since 2009. The flaws, linked to a single driver file, allow escalation of privileges and kernel-level access on already compromised hosts.
Owners and administrators of affected devices should apply patches ASAP.
What is the nature of the vulnerabilties?
All five vulnerabilities are tracked in CVE-2021-21551 (CVSS 8.8) which was identified by SentinelOne researchers and noted to be implemented on hundreds of millions of business and consumer machines over the last 12 years.
While it is tracked in a single CVE, the five vulnerabilities can be broken down into the following categories:
- Memory Corruption: two vulnerability instances
- Input Validation: two vulnerability instances
- DoS: one vulnerability instance
From Dell:
A driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is first required before this vulnerability can be exploited.
“Local authenticated user access” should not be interpreted as physical access. Local access just means that any foothold in the operating system, such as that established by downloaded malware or a phishing attack, could position the attacker to exploit these vulnerabilties.
Affected products
The list of affected devices is exhaustive. Visit Dell advisory DSA-2021-088 to see the table of effected devices, which includes both currently supported and end-of-life products.
Impact
Hundreds of millions of Dell tablets, notebooks, and laptops are at risk of having the vulnerabilities exploited.
The bugs allow an attacker with existing lower-privilege access to escalate and effect some real damage, such as bypass security controls, destroy data, or traverse the network to other crtical assets such as domain controllers.
How can I remediate?
Remediation steps are outlined in greater detail in the Dell advisory (also linked below). The actions boil down to:
- Immediately remove the vulnerable dbutil_2_3.sys driver from the affected system
- Download and run a remediated firmware update utility package, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags as applicable.
Resources
Dark Reading article:
https://www.darkreading.com/threat-intelligence/hundreds-of-millions-of-dell-computers-potentially-vulnerable-to-attack/d/d-id/1340910
AK/ZJ