Dell patched a vulnerable BIOS driver used continuously for the past decade.
SentinelOne, which discovered the five bugs in DBUtil driver version 2.3, believes the driver has been in use at least since 2009. According to Dell, the driver was used in a variety of Alienware, Canvas, ChengMeng, G, Gaming, Precision (including towers and racks), Inspiron, Latitude, OptiPlex, Precision, Vostro, Wyse, and XPS models as well as some laptop docks and Active System Manager IT products.
"We encourage customers to review the Dell Security Advisory (DSA-2021-088), and follow the remediation steps as soon as possible," said a representative from Dell. The company also posted a FAQ document with additional information.
The five bugs, collectively cataloged as CVE-2021-21551, create privilege escalation and denial of service issues stemming from memory corruption, lack of authentication, and code logic flaws. SentinelOne principal threat researcher Juan Guerrero-Saade said the vulnerability would be fairly useful for the second stage of a breach.
"A lot of us obsess over the exploits that make initial intrusion easier, but the truth is that initial intrusion isn't that hard," said Guerrero-Saade. "Most of the attacks that we see, particularly with ransomware and the kinds of run-of-the-mill financial crime that people worry about, is just an attachment or somebody clicking on a link executing a file or enabling macros on a document that they don't recognize. So, in reality, what we're talking about is something that comes into the second phase, which is establishing a foothold on a network."
SentinelOne has not seen the bug exploited in the wild.
The fact that the bugs went so long without being noticed is not that surprising, said Guerrerro-Saade, given Dell's immense code base and companies' frequent blind spots to legacy vulnerabilities in long-used software.
As of Monday afternoon, SentinelOne reported the certificate authenticating the vulnerable driver had not been revoked. Guerrero-Saade said that would be an easy albeit impractical solution to prevent unknowing users from running the old version of the driver.
"It might be an unreasonable expectation to ask Dell to revoke their certificates. I'm sure that they've signed other things with it," he said. "But it creates a sort of realpolitik concern that basically means if people aren't paying attention, they're not going to know to patch."
For those who are paying attention, the best mitigation is to update the driver.
"The presence of the driver in its entirety is a concern," he said.