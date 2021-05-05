Dell has released security patches to correct five high-severity vulnerabilities found by SentinelLabs firm in the driver for updating the BIOS of their machines with Windows operating systems. They affect tens of millions of consumer and business desktops, laptops and tablets and are active Since 12 years.

The patch released by Dell fixes what they call “insufficient access control vulnerabilities.” The faults are listed under the label CVE 2021-21551 and reside in the controller dbutil that the company uses to update the firmwares (BIOS) of its computers. Vulnerabilities can be used to lock down systems, steal information, and escalate privileges to take full control of machines.

Basically the Dell driver accepts ‘calls’ to the accounts of any user or program. Nor there are security checks or an access control list to see if the accessing user has sufficient privileges or is sufficiently authorized. These system calls, specifically called IOCTL, can instruct the kernel-level driver to move the contents of memory from one address to another, allowing an attacker to read and write arbitrary kernel RAM.

The driver even allows anyone to do x86 I / O port reads and writes, granting access to the underlying hardware. There are five errors in total, two of memory corruption, two cases of lack of input validation and a logic error. Once any of them have been exploited, it’s game over: the machine can be completely controlled at the operating system level or malware can be installed as a rootkit.

The only ‘positive’ thing is that these vulnerabilities cannot be exploited remotely and attackers would need physical access to the machines. The question here is how they could go unnoticed for 12 years these types of vulnerabilities, which affect pieces of software as critical as BIOS update ones.

At least SentinelLabs have not found that these vulnerabilities were being exploited. “While we have not seen any indicators that these vulnerabilities have been exploited so far, with hundreds of millions of businesses and users currently vulnerable, it is inevitable that attackers will seek out those who do not take appropriate action,” said Kasif Dekel, a SentinelOne senior security researcher who helped find these holes.

Measurements are update the affected computers as soon as possible Numbering in the tens of millions as these vulnerabilities date back to 2009 and range from the Latitude series of computers to the Inspiron, including its G-series gaming laptops.

Dell has released patch DSA-2021-088 to fix the bugs in the dbutil driver and has provided additional information to address these vulnerabilities that date back no less than 12 years.