Dell Technologies Inc. today issued an urgent patch to address vulnerabilities found in hundreds of millions of computers sold by the company since 2009.

Discovered and publicized today by researchers at SentinelLabs, the five vulnerabilities, tracked collectively as CVE-2021-21551, affect DVUtil 2.3, a Dell BIOS driver that allows the operating system and system apps to interact with the computer’s BIOS, which is firmware used in booting up a computer, as well as hardware.

Rated with a CVSS score of 8.8 on a scale of 10, the vulnerabilities include four that can be exploited for privilege escalation and one that can be used for a denial-of-service attack. The five collectively cover memory corruption, input validation and a code-logic issue.

It’s serious enough that Dell has created a knowledge base article as well as provided a fix. But the vulnerabilities cannot be exploited via the internet and can only be done so by an attacker with direct access to the affected device. With access to a device, an attacker, through privilege escalation, can execute arbitrary code with kernel-mode permissions. In doing so, the attacker could bypass security products and take full control of the device.

“An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege,” the researchers noted. “Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”

On the positive side, the researchers said that haven’t seen any indication that the vulnerabilities being exploited in the wild yet. They added that with hundreds of millions of enterprises and users currently vulnerable, they believe it’s inevitable that attackers will seek out those who don’t take the appropriate action.

Dell advises customers to immediately remove the vulnerable dbutil_2_3.sys driver from affected systems by downloading and running a utility to remove the driver or manually do so. After that’s done, users should then obtain and run the latest firmware update packages through the appropriate update utility package: Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent or Dell Platform Tags as applicable.

Photo: Anandtech