Hundreds of Millions of Dell Laptops and Desktops Vulnerable to Privilege Escalation Attacks

[btarunr]

Dell notebooks and desktops dating all the way back since 2009—hundreds of millions of them the PC giant has shipped since—are vulnerable to unauthorized privilege escalation attacks, due to a faulty OEM driver the company uses to update the computer's BIOS or UEFI firmware, according to findings by cybersecurity researchers at SentinelLabs. "DBUtil," a driver that Dell machines load during automated or unattended BIOS/UEFI update processes initiated by the user from within the OS, is found to have vulnerabilities that malware can exploit to "escalate privileges from a non-administrator user to kernel mode privileges."

SentinelLabs chronicled its findings in CVE-2021-21551, which details five individual flaws. Two of these point out flaws that can escalate user privileges through controlled memory corruption, two with lack of input validation; and one with denial of service. Organizations that have remote updates enabled for their client machines are at risk, since the flaw can be exploited over network. "An attacker with access to an organization's network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement," writes SentielLabs in its paper.



The good news here, is that SentinelLabs has been working with Dell before going public, and a patched DBUtil driver is ready. The company now stares at the daunting task of pushing patched drivers to potentially hundreds of millions of client PCs it shipped since 2009. The company put out a security advisory that describes CVE-2021-21551 to its end-users, and recommends the next course of action.

A video presentation by SentinelLabs follows.

View at TechPowerUp Main Site

 

[bonehead123]

"Dude, your gettin a DELL" hahahahaha ....

NOW we know why their infamous commercial elicited so many chuckles the world over.......

I mean it only took 'em 12 friggin years to disclose the flaw, makes me wonder how long they've actually known about them....

 

[Frick]

"Dude, your gettin a DELL" hahahahaha ....

NOW we know why their infamous commercial elicited so many chuckles the world over.......

I mean it only took 'em 12 friggin years to disclose the flaw, makes me wonder how long they've actually known about them....

"Disclosed" is the wrong term. If they knew about it it wouldn't be, but I'm assuming they didn't.

 

[DeathtoGnomes]

"Disclosed" is the wrong term. If they knew about it it wouldn't be, but I'm assuming they didn't.

I'd never assume such a huge company "didnt know". However, I would assume, javaris jamar javarison lamar, the programming guru, in down in the deepest pits of hell (the basement) knew and told some VP in charge of updates and carefully lifted the rug to sweep it there just to keep his job.

 

[lexluthermiester]

Dell would not have known about it or they would have both fixed the problem and disclosed it. For whatever other problems they might have, failing to handle problems like this in a timely and ethical way is not one of them.

 

[MentalAcetylide]

"Dude, your gettin a DELL" hahahahaha ....

NOW we know why their infamous commercial elicited so many chuckles the world over.......

I mean it only took 'em 12 friggin years to disclose the flaw, makes me wonder how long they've actually known about them....

Mr. Hat says, "You go to Dell! You go to Dell and you buy!"

 

[Frick]

I'd never assume such a huge company "didnt know". However, I would assume, javaris jamar javarison lamar, the programming guru, in down in the deepest pits of hell (the basement) knew and told some VP in charge of updates and carefully lifted the rug to sweep it there just to keep his job.

Or he would have just fixed it. It's an updated driver. It's not microcode, or something that requires the user to do anything difficult or unusual. It's just a driver update. Drivers get updated. It's a normal thing to happen. In theory someome might have seen this or been told that "hey there's a pretty serious issue with a driver we use for every single one of our systems, I can fix it if you want" and then order it hushed down, but the much simpler and realistic explanation is that they missed it. This is the reason security researchers exist.

 

[lexluthermiester]

In theory someone might have seen this or been told that "hey there's a pretty serious issue with a driver we use for every single one of our systems, I can fix it if you want" and then order it hushed down

Having worked for Dell, I can confidently say nothing like that happened.

but the much simpler and realistic explanation is that they missed it.

This. We're talking about a simple vulnerability no one knew about and is relatively easily fixed, assuming it's installed in the first place. Not everyone installs it or leaves it installed. If it's not present on the Dell system in question it's not a problem for that system. It's not a critical piece of software and is often absent.

People, let's quit making drama where there is none.

 

[DeathtoGnomes]

People, let's quit making drama where there is none.

Where the fun in that? Spoilsport!

I can understand that it might have been missed, but...and IF... lets assume it WAS known, but rose as such a minor issue at that time that it didnt even make it on the list of 'will it ever become an issue'. so never got fixed and forgotten about. Thats a likely scenario given the progress made since that time. Tools and code are looked at differently now, it took years to find the flaw. I still question whether Dell knew or not, if so, it brings up other questions. Deny all you want, but tin hat owners will still ask questions.

 

[Paganstomp]

Whew! For a minute there I was sweating bullets. My Optiplex 4600 Pentium 4 system from 2004 seems to be safe!

 

[candle_86]

Where the fun in that? Spoilsport!

I can understand that it might have been missed, but...and IF... lets assume it WAS known, but rose as such a minor issue at that time that it didnt even make it on the list of 'will it ever become an issue'. so never got fixed and forgotten about. Thats a likely scenario given the progress made since that time. Tools and code are looked at differently now, it took years to find the flaw. I still question whether Dell knew or not, if so, it brings up other questions. Deny all you want, but tin hat owners will still ask questions.

It wouldn't have been known, Dell is the king of Enterprise system sales, more companies run on Dell that HP or Lenovo system these days, and Dell has kept and growed that market by being upfront and fixing issues when they appear if possible, and if not possible they make it easy to get it replaced, like the laptop batteries, if its swelled get on chat send a picture and the next day you have a new battery. Dell wouldn't risk billions in enterprise sales over a driver.

 

[lexluthermiester]

Deny all you want, but tin hat owners will still ask questions.

Tin-hats will be tin-hats. But this is Dell we're talking about, not Microsoft. It is in Dell's best interests to stay on top of things like this and fix them as quickly as possible because...

It wouldn't have been known, Dell is the king of Enterprise system sales, more companies run on Dell that HP or Lenovo system these days, and Dell has kept and growed that market by being upfront and fixing issues when they appear if possible, and if not possible they make it easy to get it replaced, like the laptop batteries, if its swelled get on chat send a picture and the next day you have a new battery. Dell wouldn't risk billions in enterprise sales over a driver.

...this.

Dell is a company that has historically been a top performer when security concerns are a focus. They have nothing to gain by dodging something like this and a lot to loose...

 

[Frick]

Some more info here:

Severe vulnerabilities in Dell firmware update driver found and fixed

Dell firmware update driver 2.3 can be exploited to gain kernel-level privilege.

arstechnica.com

SentinelLabs' Kasif Dekel was at least the fourth researcher to discover and report this issue, following CrowdStrike's Satoshi Tanda and Yarden Shafir and IOActive's Enrique Nissim. It's not clear why Dell needed two years and three separate infosec companies' reports to patch the issue—but to paraphrase CrowdStrike's Alex Ionescu above, what matters most is that Dell's users will finally be protected.

That is an interesting thing at least.

 

[lexluthermiester]

Some more info here:

Severe vulnerabilities in Dell firmware update driver found and fixed

Dell firmware update driver 2.3 can be exploited to gain kernel-level privilege.

arstechnica.com

That is an interesting thing at least.

That claim can be made, but there are no CVE entries for same so either there was no proof of concept or it was only theoretical until it could be proven.

 

[Shrek]

The Dell utility that removes the offending driver

Dell Security Advisory Update - DSA-2021-088 | Driver Details | Dell US

 

[lexluthermiester]

The Dell utility that removes the offending driver

Dell Security Advisory Update - DSA-2021-088 | Driver Details | Dell US

This only applies IF you have the Dell update software installed. If it's not installed, you do not need this.