Dell ControlVault3 Out-of-Bounds Read and Write Vulnerability in WBDI Driver Storage Adapter

A set of out-of-bounds read and write vulnerabilities has been identified in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3. The affected versions are prior to 5.15.14.19 for Dell ControlVault3 and prior to 6.2.36.47 for Dell ControlVault3 Plus. These vulnerabilities allow memory corruption through a specially crafted WinBioControlUnit call, which can be exploited by sending an API call with invalid buffer sizes. The vulnerabilities can lead to memory corruption in the WinBio Service, potentially causing a denial-of-service by crashing the service, leaking information, and possibly executing code with system privileges.

Impact

Exploitation of these vulnerabilities can cause the WinBio Service to crash, leading to a denial-of-service. However, the memory corruption could also be exploited to execute code with system privileges, especially since the WinBio Service runs under the system account.

Reproduction

To reproduce this vulnerability, send a WinBioControlUnit call to the StorageAdapter with ControlCode 0 (WBIO_USH_GET_TEMPLATE) or ControlCode 2 (WBIO_USH_GET_IDENTITY). For ControlCode 0, the ReceiveBufferSize must be less than 4, and the SendBufferSize must be less than 76. For ControlCode 2, the ReceiveBufferSize must be between 4 and 80. The out-of-bounds write can be triggered by sending a ReceiveBufferSize that is too small, while the out-of-bounds read can be triggered by sending an invalid SendBufferSize.

Remediation

Users can update to Dell ControlVault3 versions 5.15.14.19 or later, or Dell ControlVault3 Plus versions 6.2.36.47 or later. For specific update instructions, visit the Dell Drivers & Downloads site.