Hundreds of millions of Dell users are at risk |
There are five very serious vulnerabilities in Dell's firmware update drivers affecting hundreds of millions of desktops, laptops, and tablets, researchers at security research firm SentinelLabs said.
The error has not been detected in twelve years and can allow bypassing security products, running code, and relaying to other parts of the network.
An LPE upgrade error was detected in version 2.3 of the firmware update engine in use since 2009.
The drive manages firmware updates from Dell and Alienware through the Dell BIOS utility and is pre-installed on most Dell and Alienware Windows computers.
According to researchers at SentinelLabs, hundreds of millions of Dell devices regularly send out updates to consumer and business systems.
Collectively, these five errors are known as CVE-2021-21551, and the CVSS severity level is 8.8 (ten in tenths). These flaws allow attackers to gain full permissions at the Windows kernel level.
Dell has released a security patch that corrects these vulnerabilities and provides instructions on how to install them if your computer is infected.
The list of affected PCs on the Dell website includes more than 380 models, including some of the latest XPS 13 and XPS 15 models, as well as the G3, G5 and G7 gaming laptops.
Dell also listed approximately 200 affected computers that have been reported to have stopped receiving service updates.
SentinelLabs said that despite having been around for a long time, it found no evidence that the hackers were taking advantage of the vulnerability.
Dell's FAQ states that in order to exploit the bug, some users need to access your computer and may need to access it through malware, phishing, or remote access permissions.
It should also be noted that according to Dell, the firmware update driver is not preinstalled on all systems but rather is installed when the user updates the firmware on the computer.