The day gone by, infosec analysis company SentinelLabs published 12-year-old flaws in Dell’s firmware updater, DBUtil 2.three. The susceptible firmware updater has been put in via default on loads of tens of millions of Dell programs since 2009.
The 5 high-severity flaws SentinelLabs found out and reported to Dell lurk within the dbutil_2_3.sys module, and they’ve been rounded up underneath a unmarried CVE monitoring quantity, CVE-2021-21551. There are two memory-corruption problems and two loss of enter validation problems, all of which can result in native privilege escalation and a code good judgment factor which might result in a denial of carrier.
A hypothetical attacker abusing those vulnerabilities can escalate the privileges of any other procedure or bypass safety controls to jot down without delay to gadget garage. This provides more than one routes to without equal function of native kernel-level get entry to—a step even upper than Administrator or “root” get entry to—to all the gadget.
This isn’t a far off code execution vulnerability—an attacker sitting the world over and even around the espresso store can’t use it without delay to compromise your gadget. The foremost possibility is that an attacker who will get an unprivileged shell by means of another vulnerability can use an area privilege escalation exploit like this one to circumvent safety controls.
Since SentinelLabs notified Dell in December 2020, the corporate has equipped documentation of the failings and mitigation directions which, for now, boil right down to “take away the application.” A substitute driving force may be to be had, and it must be robotically put in on the subsequent firmware replace take a look at on affected Dell programs.
SentinelLabs’ Kasif Dekel used to be no less than the fourth researcher to find and record this factor, following CrowdStrike’s Satoshi Tanda and Yarden Shafir and IOActive’s Enrique Nissim. It isn’t transparent why Dell wanted two years and 3 separate infosec corporations’ stories to patch the problem—however to paraphrase CrowdStrike’s Alex Ionescu above, what issues maximum is that Dell’s customers will after all be secure.
