Security News > 2021 > May > BIOS PrivEsc Bugs Affect Hundreds of Millions of Dell PCs Worldwide
PC maker Dell has issued an update to fix multiple critical privilege escalation vulnerabilities that went undetected since 2009, potentially allowing attackers to gain kernel-mode privileges and cause a denial-of-service condition.
The issues, reported to Dell by researchers from SentinelOne on Dec. 1, 2020, reside in a firmware update driver named "Dbutil 2 3.sys" that comes pre-installed on its devices.
"Dell dbutil 2 3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service, or information disclosure. Local authenticated user access is required," Dell said in an advisory.
Although no evidence of in-the-wild abuse has been detected, SentinelOne said it plans to release the proof-of-concept code on June 1, 2021, giving Dell customers ample time to remediate the vulnerability.
SentinelOne's disclosure is the third time the same issue has been reported to Dell over the last two years, according to Crowdtrike's Chief Architect Alex Ionescu, first by the Sunnyvale-based cybersecurity firm in 2019 and again by IOActive.
Dell also credited Scott Noone of OSR Open Systems Resources with reporting the vulnerability.