Yesterday, infosec analysis agency SentinelLabs revealed 12-year-old flaws in Dell’s firmware updater, DBUtil 2.3. The susceptible firmware updater has been put in by default on lots of of tens of millions of Dell methods since 2009.
The 5 high-severity flaws SentinelLabs found and reported to Dell lurk within the
dbutil_2_3.sys module, they usually have been rounded up below a single CVE monitoring quantity, CVE-2021-21551. There are two memory-corruption points and two lack of enter validation points, all of which may result in native privilege escalation and a code logic subject which may result in a denial of service.
A hypothetical attacker abusing these vulnerabilities can escalate the privileges of one other course of or bypass safety controls to jot down on to system storage. This provides a number of routes to the final word aim of native kernel-level entry—a step even increased than Administrator or “root” entry—to all the system.
Biz & IT – Ars Technica