This vulnerable firmware update driver has been released on hundreds of millions of Dell Windows PCs around the world since 2009. The multiple local privilege-escalation (LPE) bugs exist in Dell’s dbutil_2_3.sys driver, which comes pre-installed on most Dell machines running Windows. The firmware update driver component is responsible for Dell Firmware Updates via the Dell Bios Utility. The five high severity vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges. Dell has grouped all the flaws in the firmware update driver under the label CVE 2021-21551 with a CVSS score of 8.8. However, this single CVE can be broken down to the following five separate flaws:
CVE-2021-21551: Local Elevation Of Privileges #1 – Memory corruption CVE-2021-21551: Local Elevation Of Privileges #2 – Memory corruption CVE-2021-21551: Local Elevation Of Privileges #3 – Lack of input validation CVE-2021-21551: Local Elevation Of Privileges #4 – Lack of input validation CVE-2021-21551: Denial Of Service – Code logic issue
“The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products,” SentinelLabs Senior Security Researcher Kasif Dekel who discovered the vulnerability, noted in a blog post detailing technical issues. The high severity flaws are unlikely to be exploited remotely over the internet since these are local privilege escalation bugs. The attacker will need to have access to a non-administrator account on a vulnerable system to carry out an attack. Following this, the driver vulnerability can be abused by an attacker to gain increased system privileges. According to Dekel, the firmware update driver has been vulnerable since 2009, even though there is no evidence of it being exploited in the wild until now. “While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, with hundreds of million of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action. Our reason for publishing this research is to not only help our customers but also the community to understand the risk and to take action,” added Dekel. SentinelLabs has also created Proof-of-Concept (PoC) code that it plans to release on June 1, 2021, in order to allow Dell users sufficient time to remediate the vulnerability. “Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service, or information disclosure. Local authenticated user access is required before this vulnerability can be exploited,” Dell said in the advisory. “We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers. We have seen no evidence this vulnerability has been exploited by malicious actors to date. We appreciate the researchers working directly with us to resolve the issue.” If you want to know if your device is susceptible to the error of the file “dbutil_2_3.sys”, you can follow Dell’s guide addressing the vulnerability here. SentinelLabs is recommending Dell users to install Dell’s updated DBUtil driver as soon as possible to safeguard themselves against any potential attacks exploiting these security flaws.