Dell ControlVault3 and ControlVault3 Plus Out-of-Bounds Read and Write Vulnerabilities in WBDI Driver Storage Adapter

Multiple out-of-bounds read and write vulnerabilities have been identified in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3, prior to version 5.15.14.19, and Dell ControlVault3 Plus, prior to version 6.2.36.47. These vulnerabilities can lead to memory corruption, with an attacker able to issue an API call that triggers the issue. The vulnerabilities arise because the Storage Adapter fails to properly validate buffer sizes in the WinBioControlUnit calls, allowing for out-of-bounds memory access.

Impact

Exploitation of these vulnerabilities can cause memory corruption in the WinBio Service, which may lead to a denial-of-service by crashing the service, information leaks, and potentially allow for code execution with system privileges.

Reproduction

The vulnerability can be reproduced by sending a WinBioControlUnit call to the StorageAdapter with the ControlCode 2 (WBIO_USH_GET_IDENTITY) and an improper ReceiveBufferSize value, specifically between 4 and 80 bytes. This will cause an out-of-bounds write of up to 75 bytes, which can include null bytes or potentially attacker-controlled data, if another vulnerability is exploited to insert such data into the storage database.

Remediation

Users can update to Dell ControlVault3 versions 5.15.14.19 or later, or Dell ControlVault3 Plus versions 6.2.36.47 or later. Specific update instructions can be found on the Dell Drivers & Downloads site.