Article 5HG6B Severe vulnerabilities in Dell firmware update driver found and fixed

Severe vulnerabilities in Dell firmware update driver found and fixed

by
Jim Salter
from Ars Technica - All content on (#5HG6B)
hackers-lol-800x600.jpg

Enlarge / At least three companies have reported the dbutil_2_3.sys security problems to Dell over the past two years. (credit: Blogtrepreneur / Flickr)

Yesterday, infosec research firm SentinelLabs revealed 12-year-old flaws in Dell's firmware updater, DBUtil 2.3. The vulnerable firmware updater has been installed by default on hundreds of millions of Dell systems since 2009.

The five high-severity flaws SentinelLabs discovered and reported to Dell lurk in the dbutil_2_3.sys module, and they have been rounded up under a single CVE tracking number, CVE-2021-21551. There are two memory-corruption issues and two lack of input validation issues, all of which can lead to local privilege escalation and a code logic issue, which could lead to a denial of service.

A hypothetical attacker abusing these vulnerabilities can escalate the privileges of another process or bypass security controls to write directly to system storage. This offers multiple routes to the ultimate goal of local kernel-level access-a step even higher than Administrator or "root" access-to the entire system.

Read 3 remaining paragraphs | Comments

index?i=Bqy0ntFG9Y4:H3uCof5tRCs:V_sGLiPB index?i=Bqy0ntFG9Y4:H3uCof5tRCs:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments