HIGHLIGHTS
- A Dell BIOS Utility cyber flaw had five vulnerabilities that existed since 2009
- Sentinel Labs disclosed to flaw to Dell in December 2020, and a patch has now been released
- Dell has urged everyone to apply the patch, including out of service devices
In yet another significant cyber vulnerability detected by a security research firm, millions of Dell laptops and desktops have been found to have sported a flaw that could have allowed cyber attackers elevated access to system internals. This could have allowed hackers to carry out a wide range of cyber attacks, including privilege escalation leading to denial of service. In simpler terms, a bug found in a preinstalled software in Dell laptops and desktops could have allowed hackers to get admin level access to users’ PCs, thereby installing malware deep inside systems that could freeze a user out of his own machine.
The flaw, actually, is a collective of five different vulnerabilities that were present in the Dell BIOS Utility driver, called DBUtil, since as early as 2009. As reported by Sentinel Labs, the DBUtil driver contains a module that is responsible for delivering BIOS updates on Dell’s laptops and desktops. This module had five flaws, two of which are memory corruption glitches, two are input validation failures, and one logic flaw that could be exploited for denial of service attacks.
Of these attacks, the Sentinel Labs team notes that the biggest flaw here is that any app or service without administrator privileges could request the Dell BIOS Utility server to gain high level system permissions. This is a result of the driver not invoking an ‘access control list’ – something that typically restricts non-admin level apps from gaining such high level system access. Along with exposed function control, an attacker could therefore gain escalated system privilege by exploiting the driver flaw.
Describing the flaw, Sentinel Labs spokespeople wrote, “These critical vulnerabilities, which have been present in Dell devices since 2009, affect millions of devices and millions of users worldwide. As with a previous bug that lay in hiding for 12 years, it is difficult to overstate the impact this could have on users and enterprises that fail to patch.” Dell was initially reported of the vulnerability back in December 2020. Now, after sufficient testing and proof, it has listed a CVE entry with CVSS (or vulnerability score) of 8.8. However, given that the patch will take a long time to be implemented, Dell has refrained from revealing all details about it.
Dell, being one of the world’s biggest laptop and desktop makers, has naturally sold millions of PCs since 2009, many of which are likely prey to this flaw. The company is therefore releasing a fixed patch for all affected devices, in partnership with Microsoft, and is urging everyone to apply the fix as early as possible. It is also important to note how the cyber crime climate has evolved in recent years, which makes this patch even more important.
Comments
Post a Comment