14 DAY TRIAL // Dell desktops, laptops, and tablets built after 2009 can be abused to grant rogue users and malware system-administrator access. According to reports, hundreds of millions of computers can be hacked.
This is possible due to by five security flaws present in a system driver, found on all DELL brand computers. Labeled as CVE 2021-21551, the group of vulnerabilities can be used to crash systems, steal information, and escalate privileges to gain complete power. Then again, the exploits can be done by a logged-in user or applications that are already running on the machine.
Kasif Dekel, senior security researcher at SentinelOne, warns that "While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, with hundreds of million of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action,"
What is the worst case scenario?
The bugs can be found in Dell's firmware update driver, and they're relatively easy to exploit. In essence, Dell's driver accepts device calls from any user or program on the machine without making any security checks or running the access control list to determine the caller's privileges.
The system calls, specifically IOCTL calls, can command the kernel-level driver to transfer memory contents from one address to another, thus allowing an attacker to read and write arbitrary kernel RAM. It's game over at that point, as the computer can be taken control of at operating system level, a rootkit added, and so on.
The driver also allows everyone to read and write x86 I/O ports and hence, access to the underlying hardware. In total, there are two memory corruption errors, two cases of input validation failure, and one logic error – some of which are relatively straightforward to exploit in practice, although others are more difficult.
After bug hunters reported the flaws in December, Dell released a patched driver as well as a FAQ on the topic. The patch is planned for launch from May 10.