Yesterday, infosec research firm SentinelLabs revealed 12-year-old flaws in Dell’s firmware updater, DBUtil 2.3. The vulnerable firmware updater has been installed by default on hundreds of millions of Dell systems since 2009.
The five high-severity flaws SentinelLabs discovered and reported to Dell lurk in the
dbutil_2_3.sys module, and they have been rounded up under a single CVE tracking number, CVE-2021-21551. There are two memory-corruption issues and two lack of input validation issues, all of which can lead to local privilege escalation and a code logic issue which could lead to a denial of service.
A hypothetical attacker abusing these vulnerabilities can escalate the privileges of another process or bypass security controls to write directly to system storage. This offers multiple routes to the ultimate goal of local kernel-level access—a step even higher than Administrator or “root” access—to the entire system.