Notebookcheck
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 

Dell's firmware update driver has harbored severe security bugs for over a decade, according to researchers

A Core i7 XPS 13. (Source: Dell)
A Core i7 XPS 13. (Source: Dell)
Dell has issued numerous patches as part of its latest Security Advisory (DSA-2021-088) in response to findings of a "severe" CVE consisting of five different privilege-exploit bugs that have apparently been in effect for the last 12 years. Fortunately, they have never been acted upon, which, as they could have allowed unauthorized users to write data or manipulate memory.
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 

The security research group SentinelLabs claims to have discovered potentially dangerous bugs in a common Dell driver that, as it claims, poses potentially "far reaching and significant" ramifications for hundreds of millions of individual and enterprise users with PCs from the OEM worldwide. 

The lab asserts that the vulnerabilities are found in the Dell firmware update driver module v2.3 (dbutil_2_3.sys) , which has been active on the company's machines since 2009. There are apparently 5 of these flaws, 4 of which are local privilege escalations (LPEs) and 1 a denial-of-service (DoS) bug.

Of the LPEs, 2 are described as arising from memory corruption and 2 from input validation deficiencies. According to SentinelLabs, they may lead to various entry-points for non-privileged users, one of the more prominent of which is the ability to enact input/output control (IOCTL) requests without reference to an access-control list (ACL).

This license to override ACLs (a set of rules intended to restrict access to privileged users only) might allow a malicious actor to create read/write vulnerabilities, or interact with components such as GPUs or hard drives. The 5 bugs are now known collectively as CVE-2021-21551, which holds a severity rating of 8.8 out of 10.

Then again, SentinelLabs also note they have no record of the flaws ever having been exploited (perhaps we would have heard of them sooner had this occurred). It apprised Dell of the situation long before publishing its research publicly, resulting in the Security Advisory DSA-2021-088 being pushed to all PCs running the affected driver.

However, the security team finds the measure unsatisfactory, claiming that its "certificate was not yet revoked (at the time of writing)". Nevertheless, installing the new fixed driver found in the recent DSA is advised to best protect against the potential security issues.

First thing to do on setting up your new XPS 13, then.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 
Deirdre O'Donnell
Deirdre O'Donnell - Senior Tech Writer - 4334 articles published on Notebookcheck since 2018
I became a professional writer and editor shortly after graduation. My degrees are in biomedical sciences; however, they led to some experience in the biotech area, which convinced me of its potential to revolutionize our health, environment and lives in general. This developed into an all-consuming interest in more aspects of tech over time: I can never write enough on the latest electronics, gadgets and innovations. My other interests include imaging, astronomy, and streaming all the things. Oh, and coffee.
contact me via: LinkedIn
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2021 05 > Dell's firmware update driver has harbored severe security bugs for over a decade, according to researchers
Deirdre O'Donnell, 2021-05- 7 (Update: 2021-05- 7)