Notebookcheck Logo

Dell's firmware update driver has harbored severe security bugs for over a decade, according to researchers

A Core i7 XPS 13. (Source: Dell)
A Core i7 XPS 13. (Source: Dell)
Dell has issued numerous patches as part of its latest Security Advisory (DSA-2021-088) in response to findings of a "severe" CVE consisting of five different privilege-exploit bugs that have apparently been in effect for the last 12 years. Fortunately, they have never been acted upon, which, as they could have allowed unauthorized users to write data or manipulate memory.
Business Convertible / 2-in-1 Desktop GPU Laptop Security Software Storage Ultrabook

The security research group SentinelLabs claims to have discovered potentially dangerous bugs in a common Dell driver that, as it claims, poses potentially "far reaching and significant" ramifications for hundreds of millions of individual and enterprise users with PCs from the OEM worldwide. 

The lab asserts that the vulnerabilities are found in the Dell firmware update driver module v2.3 (dbutil_2_3.sys) , which has been active on the company's machines since 2009. There are apparently 5 of these flaws, 4 of which are local privilege escalations (LPEs) and 1 a denial-of-service (DoS) bug.

Of the LPEs, 2 are described as arising from memory corruption and 2 from input validation deficiencies. According to SentinelLabs, they may lead to various entry-points for non-privileged users, one of the more prominent of which is the ability to enact input/output control (IOCTL) requests without reference to an access-control list (ACL).

This license to override ACLs (a set of rules intended to restrict access to privileged users only) might allow a malicious actor to create read/write vulnerabilities, or interact with components such as GPUs or hard drives. The 5 bugs are now known collectively as CVE-2021-21551, which holds a severity rating of 8.8 out of 10.

Then again, SentinelLabs also note they have no record of the flaws ever having been exploited (perhaps we would have heard of them sooner had this occurred). It apprised Dell of the situation long before publishing its research publicly, resulting in the Security Advisory DSA-2021-088 being pushed to all PCs running the affected driver.

However, the security team finds the measure unsatisfactory, claiming that its "certificate was not yet revoked (at the time of writing)". Nevertheless, installing the new fixed driver found in the recent DSA is advised to best protect against the potential security issues.

First thing to do on setting up your new XPS 13, then.

Source(s)

SentinelLabs via ThreatPost

Related Articles

The personal data of over 100 million Android users may have been exposed due to poor data management practices. (Image via Android with edits)
Poor data management put 100 million Android users at risk 05/25/2021
Fully loaded Dell XPS 13 9310 with 11th gen Core i7, 16 GB RAM, and 512 GB NVMe SSD now on sale for $1319 USD (Image source: Amazon)
Fully loaded Dell XPS 13 9310 with 11th gen Core i7, 16 GB LPDDR4x RAM, and 512 GB NVMe SSD now on sale for $1319 USD 05/22/2021
The new C8C security camera. (Source: EZVIZ)
EZVIZ launches its first pan/tilt outdoor Wi-Fi home security camera 05/19/2021
Latest Dell G15 gaming laptop on sale with GeForce RTX 3060 graphics, 120 Hz IPS display, and 10th gen Core i7 for $1173.99 USD (Source: Dell)
Latest Dell G15 gaming laptop on sale with GeForce RTX 3060 graphics, 120 Hz IPS display, and 10th gen Core i7 for $1173 USD 05/14/2021
Alienware m15 R6 gets a Tiger Lake-H upgrade. (Image Source: Dell)
Alienware m15 R6 launched with Tiger Lake-H, RTX 30 Ampere, and optional 360 Hz display and CherryMX mechanical keyboard 05/11/2021
Check Point reports a new MSM flaw. (Source: Wikichip)
Security researchers claim to find a severe vulnerability that may affect up to 30% of all Android phones worldwide 05/09/2021
MSI Summit E13 Flip vs. XPS 13 2-in-1: Giving Dell a run for its money
MSI Summit E13 Flip vs. XPS 13 2-in-1: Giving Dell a run for its money 05/01/2021
Dell presents a worthy MS Surface alternative. (Image Source: Dell)
Dell releases the Latitude 7320 detachable with Tiger Lake-U CPUs 04/27/2021
The Dell XPS 13 9310 is now available with an OLED screen, albeit for a US$300 surcharge from the regular FHD display. (Image source: Dell)
Dell launches the new XPS 13 with a 3.5K OLED touchscreen and Tiger Lake processors 04/13/2021
The Inspiron 16 Plus is targeted at content creators and includes a 3K screen with 16:10 aspect ratio. (Image Source: Dell)
Dell introduces Inspiron 16 Plus content creator laptop with 16:10 3K display, Tiger Lake-H CPUs and up to an Nvidia RTX 3060 GPU 04/13/2021
No discrete GPU option for the new AMD-powered versions, unfortunately. (Image Source: Dell)
Dell launches Inspiron 14 7415 2-in-1 with AMD Ryzen 5000U processors 04/13/2021
The 2021 Inspiron lineup will include Tiger Lake-H CPU and Nvidia MX450 dGPU options. (Image Source: Dell)
Dell refreshes the Inspiron 13/14/15 models with Tiger Lake-H CPUs and Nvidia MX450 dGPUs 04/13/2021
The G15 5510 and G15 5515 will launch at US$899.99. (Image source: Dell)
Dell G15 refreshed with an NVIDIA GeForce RTX 3060 and a choice between AMD Ryzen 5000 or Intel Comet Lake-H processors 04/07/2021
Dell has launched a new range of gaming monitors
Dell launches four new gaming monitors to go with its new Ryzen powered notebooks 04/07/2021
Cherry gets serious about laptop keyboards, will debut its ultra-thin mechanical keys on the Dell Alienware m15 and m17 series next month (Source: Dell)
Cherry gets serious about laptop keyboards, will debut its ultra-thin mechanical keys on the Dell Alienware m15 and m17 R4 this April 03/18/2021
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2021 05 > Dell's firmware update driver has harbored severe security bugs for over a decade, according to researchers
Deirdre O'Donnell, 2021-05- 7 (Update: 2021-05- 7)