On May 4th, researchers as SentinelOne disclosed four vulnerabilities under one CVE number for Dell’s firmware update driver dbutil_2_3.sys. Four out of the five vulnerabilities allow an attacker to elevate from no privileges to kernel-level privileges by exploiting the vulnerable driver. This driver came preinstalled to every new Windows device produced by Dell and has been in use since 2009. While there have been varying versions of the driver, the estimate for affected devices is hundreds of millions as OEM updates like bios and firmware updates are often considered out of band by individual consumers and organizations alike. However, despite the updater’s end-of-life date being many years past, Dell has already begun to push the update and it is available to devices now.
While SentinelOne noted that exploits for these vulnerabilities have not been seen out in the wild, it’s always important to keep in mind that proof of concept exploits will be developed and often become publicly available once enough attention is brought to the vulnerability. If an organization has a fleet of Dell devices deployed to users, updating those devices should be considered a higher priority as gaining kernel-level privileges at scale has far-reaching implications. It should also be said that many EDR platforms often put kernel-level attacks out of scope because they do not have kernel-level privileges.