Security researchers have discovered a BIOS driver privilege escalation flaw that has exposed hundreds of millions of Dell computers.
SentinelLabs uncovered the five high risk vulnerabilities in Dell’s firmware update driver that impacts Dell desktops, laptops, notebooks and tablets.
According to the research report, cyber attackers could exploit these High severity Dell vulnerabilities (identified collectively as CVE-2021-21551 and a CVSS score of 8.8) and locally escalate to kernel-mode privileges.
“Since 2009, Dell has released hundreds of millions of Windows devices worldwide which contain the vulnerable driver,” Kasif Dekel of SentinelLabs wrote in a blog post.
“This led to the discovery of five high severity bugs that have remained undisclosed for 12 years. These multiple high severity vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges.”
The Dell BIOS driver vulnerability CVE-2021-21551 consists of actually five flaws:
- Memory corruption that could result in local elevation of privileges (2)
- Lack of input validation that could result in local elevation of privileges (2)
- Code logic issue that could result in Denial Of Service (1).
At the time of the post, SentinelOne had not discovered evidence of any exploits in the wild.
Dell has also provided firmware updates that address the vulnerabilities in Dell Security Advisory DSA-2021-088.