According to Dell, the vulnerable driver module is not available pre-installed on its machines and is available only once you have applied a BIOS, Thunderbolt, TPM, or dock firmware update to your system.
Dell also sent this statement to Gadgets 360: “We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers. We have seen no evidence this vulnerability has been exploited by malicious actors to date. We encourage customers to review the Dell Security Advisory (DSA-2021-088) and follow the remediation steps as soon as possible. We’ve also posted an FAQ for additional information. Thanks to the researchers for working directly with us to resolve the issue.”
Threat intelligence firm SentinelLabs discovered the issues that exist in Dell’s firmware update driver version 2.3 (dbutil_2_3.sys) module. The same module is not just limited to Dell machines but also some Alienware gaming laptops and desktops. SentinelLabs also cautioned that the vulnerable driver module could still be used in a BYOVD attack as Dell did not revoke the certificate while releasing the patch.
Gadgets 360 has reached out to Dell for further clarification.
One of the first issues in the firmware update driver module is that it accepts Input/ Output Control (IOCTL) requests without any Access Control (ACL) requirements.
“Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused ‘by design’,” SentinelLabs researcher Kasif Dekel said.
The driver module is also found to allow execution of In/ Out (I/O) instructions in kernel mode with arbitrary operands (LPE #3 and LPE #4). This in simpler terms means that one could interact with peripheral devices such as the HDD and GPU to either read or write directly to the disk by bypassing all security mechanisms in the operating system.
Additionally, the driver file itself is found to be located in the temporary folder of the operating system. SentinelLabs calls it a bug in itself and believes that it opens the door to other issues.
“The classic way to exploit this would be to transform any BYOVD (Bring Your Own Vulnerable Driver) into an Elevation of Privileges vulnerability since loading a (vulnerable) driver means you require administrator privileges, which essentially eliminates the need for a vulnerability,” the researcher noted.
Dell is aware of the issues reported by SentinelLabs since December 2020 and has tracked them as CVE-2021-21551. The vulnerabilities also carry CVSS vulnerability-severity rating of 8.8 out of 10. However, both Dell and SentinelLabs note that they haven’t noticed any evidence of the vulnerabilities being exploited in the wild.
For all the affected machines, Dell has released the patch that users are highly recommended to install from their end through the Dell or Alienware Update utility. The company has also provided a list of models that are being stand vulnerable due to the bugs. The list includes over 380 models and includes some of the popular Dell machines, such as the latest XPS 13 and XPS 15 notebooks as well as the Dell G3, G5, and G7 gaming laptops. There are also nearly 200 affected machines that are no longer eligible for an official service and include the Alienware 14, Alienware 17, and the Dell Latitude 14 Rugged Extreme.
This is not the first time when a severe security issue has been found on Dell machines. In 2019, the company patched a critical flaw in its SupportAssist tool that affected millions of its PC users globally. Another serious issue was found in the Dell System Detect program back in 2015 that also exposed a large number of its users to attack.
Is MacBook Air M1 the portable beast of a laptop that you always wanted? We discussed this on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.