Critical vulnerabilities in upgrade component in Dell; update immediately

Cybersecurity specialists reported the finding of at least five severe security flaws in Dell’s firmware update mechanism, which could put millions of the company’s desktops, laptops, and electronic tablets at risk. These flaws appear to have existed for at least 12 years and their exploitation would allow threat actors to bypass security mechanisms on affected systems to launch code execution attacks, among other attack scenarios.

These local privilege escalation flaws reside in the module that controls the v2.3 firmware update, in use since 2009. This component manages Dell firmware updates through the BIOS utility and is pre-installed on most Dell computers running Windows systems.

SentinelLabs experts, who published a report related to these flaws, mention: “There must currently be hundreds of millions of Dell devices receiving updates using this compromised component for both individual users and enterprise environments.” The flaws were identified together as CVE-2021-21551 and received an 8.8/10 score on the Common Vulnerability Scoring System (CVSS) scale. Experts add that flaws allow threat actors to scale privileges to kernel mode.

The following is a brief description of the five flaws that make up report CVE-2021-21551:

  1. Memory corruption flaw
  2. Memory corruption flaw
  3. Absence of system input validations
  4. Absence of system input validations
  5. Denial of Service (DoS) flaw due to a logical problem in the code

SentinelLabs’ report mentions that the firm also developed proof of concept, although it will not yet be disclosed due to the imminent risk of exploitation. Still, the researchers described some of the flaws in the affected mechanism: “The first problem with this driver is related to the fact that it accepts requests without additional ACL requirements, so it can be invoked by non privileged and potentially malicious user.” As you’ll remember, ACL rules allow unauthorized users to be blocked from specific resources, so their omission can be catastrophic in a compromised deployment.

Experts also noted that it is possible to execute kernel-mode input/output statements with arbitrary commands, giving specific instructions on what data should be manipulated: “Exploitation of this condition is more complex, as it would require the use of multiple techniques to perform privilege escalation. This is not to say that the exploitation of these flaws is impossible, so the manufacturer must take the report seriously.”

Security patches to address these vulnerabilities have already been released, so users in affected deployments are invited to update as soon as possible. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.