Dell ControlVault3 Buffer Overflow Vulnerability in CvManager_SBI Functionality Allowing Arbitrary Code Execution

A buffer overflow vulnerability has been identified in the CvManager_SBI functionality of Dell ControlVault3, affecting versions prior to 5.15.14.19, as well as Dell ControlVault3 Plus versions prior to 6.2.36.47. This vulnerability allows low-privilege users to execute arbitrary code by sending a specially crafted ControlVault API call. The issue arises because the firmware does not properly validate the size of the command blob before copying it into a global buffer, leading to a buffer overflow. Exploitation of this vulnerability could overwrite critical data structures, such as the Secure Code Descriptor, allowing attackers to forge application firmware updates that are incorrectly validated as legitimate.

Impact

Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system.

Reproduction

The vulnerability can be reproduced by sending a ControlVault API call through the 'bcmbipdll.dll' userland DLL. The 'cvusbdrv.sys' device driver will relay the command to the ARM firmware on the Broadcom BCM5820X chip. The command must be crafted to include a payload that exceeds the buffer size limitations, taking advantage of the firmware's inadequate size checks. Once the command is processed, the overflow can be used to manipulate adjacent memory structures, such as the Secure Code Descriptor, to forge a valid firmware update.

Remediation

Users can update to Dell ControlVault3 version 5.15.14.19 or later, or Dell ControlVault3 Plus version 6.2.36.47 or later. For specific update instructions, visit the Dell Drivers & Downloads site.