Dell has released an update for access control vulnerabilities classified as CVE-2021-21551, which affects Dell computers dating back to 2009. The vulnerability is in a firmware update utility shipped with Dell computers. SentinelLabs, an infosec research firm revealed the vulnerability on the 4th. This refers to five high-severity vulnerabilities pertaining to BIOS driver privilege escalation.
Of these vulnerabilities, two of them are memory corruption vulnerabilities, two are a lack of input validation, and one is a code logic issue posing a denial-of-service risk. The vulnerabilities can be used to execute code in kernel mode (which gives the attacker even more control over the computer than an administrator’s account), bypass security products, or escalate the privileges of another process.
The proof-of-concept is being withheld until June 1 to give Dell customers time to update and correct the issue. The affected driver is dbutil_2_3.sys, and Dell is offering the update on their website.