Dell ControlVault3 and ControlVault3 Plus Hard-Coded Password Vulnerability in WBDI Driver

A hard-coded password vulnerability has been identified in the ControlVault WBDI Driver of Dell ControlVault3 versions prior to 5.15.14.19 and Dell ControlVault3 Plus versions prior to 6.2.36.47. This vulnerability allows an attacker to execute privileged operations by sending a specially crafted ControlVault API call. The issue arises because the Broadcom driver uses a hard-coded passphrase to authenticate access to sensitive biometric data, such as fingerprint templates and payloads, which can be manipulated or exfiltrated by knowledgeable users.

Impact

Exploitation of this vulnerability could lead to unauthorized access and manipulation of biometric data, allowing users to tamper with or potentially exfiltrate sensitive fingerprint information from the ControlVault device.

Remediation

Users can update to Dell ControlVault3 version 5.15.14.19 or later, or Dell ControlVault3 Plus version 6.2.36.47 or later. Specific update instructions can be found on the Dell Drivers & Downloads site.