Dell ControlVault3 Privilege Escalation Vulnerability in WBDI Driver

A privilege escalation vulnerability has been identified in the Dell ControlVault3 and ControlVault3 Plus products, specifically within the WBDI Driver's Broadcom Storage Adapter. The issue arises in versions of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. The vulnerability is triggered by a specially crafted WinBioControlUnit call, which can escalate privileges by exploiting the WBIO_USH_ADD_RECORD functionality. This function, intended to manage biometric data, can be manipulated to associate a user's identity with a fingerprint template, potentially allowing unauthorized authentication.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a user to manipulate biometric data and authentication processes.

Reproduction

To reproduce this vulnerability, an unprivileged user must open a WinBio session and lock a biometric unit. Then, the user can issue a control command through the WinBioControlUnit function, using the WBIO_USH_ADD_RECORD operation. The vulnerability lies in the fact that the StorageContext's challenge verification is bypassed, as the challenge is uninitialized by default. This allows the user to add a fingerprint record under a different identity, exploiting the absence of proper validation in the ControlVault WBDI Driver.

Remediation

Users can update to Dell ControlVault3 versions 5.15.14.19 or later, or Dell ControlVault3 Plus versions 6.2.36.47 or later. Instructions for downloading the latest versions are available on the Dell Drivers & Downloads site.