'Millions' of Dell PCs will grant malware, rogue users admin-level access if asked nicely

Five vulnerabilities lay undetected for almost a dozen years in Windows driver code


Dell desktops, laptops, and tablets built since 2009 and running Windows can be exploited to grant rogue users and malware system-administrator-level access to the computers. We're told this amounts of hundreds of millions of machines that can be completely hijacked.

This is made possible by five security vulnerabilities in Dell's dbutil_2_3.sys driver, which it bundles with its PCs. These are grouped under the label CVE 2021-21551, and they can be abused to crash systems, steal information, and escalate privileges to take total control. These programming blunders can only be exploited by applications already running on a machine, or a logged-in user.

"While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, with hundreds of million of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action," warned Kasif Dekel, a senior security researcher at SentinelOne who helped find the holes.

The flaws are within Dell's firmware update driver, and are fairly simple to abuse. Essentially, Dell's driver accepts system calls from any user or program on a machine; there are no security checks nor an access control list to see if the caller is sufficiently authorized or privileged. These system calls – specifically, IOCTL calls – can instruct the kernel-level driver to move the contents of memory from one address to another, allowing an attacker to read and write arbitrary kernel RAM. At that point, it's game over: the machine can be commandeered at the operating-system level, a rootkit installed, and so on.

The driver even allows anyone to make x86 I/O port reads and writes, granting access to the underlying hardware. In all, there are two memory corruption bugs, two instances of a lack of input validation, and one logic error – some are relatively easy and some tricky to exploit in practice. The SentinelOne team demonstrated a proof-of-concept attack on video, and aren't releasing any exploit code until June 1 to allow time to patch.

"Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused 'by design,'" they noted.

Dell has emitted a patched driver, and accompanying FAQ on the issue, after the bug hunters reported the flaws in December. The fix will also be pushed out from May 10.

"Dell has remediated the dbutil driver and has released firmware update utility packages for supported platforms running Windows 10, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent and Dell Platform Tags," the computing behemoth said.

"For supported platforms on Windows when you install a remediated package containing the BIOS, Thunderbolt firmware, TPM firmware, or dock firmware; or update Dell Command Update, Dell Update, or Alienware Update; or install the latest version of Dell System Inventory Agent or Dell Platform Tags."

The infosec researchers note Dell hasn't rescinded the code-signing certificate for the insecure Windows driver yet. We've asked Dell if or when this is likely to occur and will update you accordingly. ®


Biting the hand that feeds IT © 1998–2021