Hundreds of millions of Dell desktops, laptops, notebooks, and tablets will need to update their Dell DBUtil driver to fix a 12-year-old vulnerability that exposes systems to attacks.
The bug, tracked as CVE-2021-21551, impacts version 2.3 of DBUtil, a Dell BIOS driver that allows the OS and system apps to interact with the computer’s BIOS and hardware.
In a report published today and shared with The Record, security firm SentinelOne said it found a vulnerability in this driver that could be abused to allow threat actors access driver functions and execute malicious code with SYSTEM and kernel-level privileges.
Researchers said the DBUtil vulnerability cannot be exploited over the internet to gain access to unpatched systems remotely. Instead, threat actors who gained initial access to a computer, even to a low-level account, could abuse this bug to take full control over the compromised PC — in what the security community typically describes as a privilege escalation vulnerability.
The “vulnerable” driver landscape
This bug is nothing out of the ordinary. In fact, it’s the typical bug found in system drivers these days, many of which have been coded years ago and have not always followed secure coding practices.
For the past few years, many in the security research community have found similar privilege escalation issues in drivers from a wide spectrum of hardware vendors.
The most extensive research on driver security issues was carried out by security firm Eclypsium in its “Screwed Drivers” paper, presented at Black Hat 2019.
The general conclusion of all previous work was that most drivers lack the most basic security coding practices and often expose the systems they’re installed —even something such as ATMs— to user privilege escalation attacks.
As a result, researchers are now arguing that the community and vendors should do more to scour drivers for security bugs and have vulnerabilities patched before attackers realize that a computer’s driver installbase is such a fertile ground for privilege escalation possibilities.
Right now, a few threat actors have already realized this. For example, security firm Sophos observed the RobbinHood ransomware gang deploying an older version of a Gigabyte driver on infected systems so it could exploit it to gain full control over infected hosts.
As for this Dell bug, SentinelOne said it worked with Dell since December to make sure fixes are available. The company said it plans to release proof-of-concept code for CVE-2021-21551 on June 1. It recommended that system administrators and users apply the Dell DBUtil updates until then.
However, the issues reported today were not new, at least to Dell. According to CrowdStrike security expert Alex Ionescu, this was the third time in two years that someone reported the same issue to the hardware vendor.
It’s a shame that it eventually took 3 separate companies over the span of 2 years to keep reporting the same issue, but ultimately Dell users are now protected, which is the outcome that matters. Thanks to @rickmartinez06 for keeping the pressure on.— Alex Ionescu (@aionescu) May 4, 2021
Great write up @kasifdekel !