Dell ControlVault3 and ControlVault3 Plus Out-of-Bounds Read and Write Vulnerability in Broadcom Storage Adapter

Multiple out-of-bounds read and write vulnerabilities have been identified in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3, prior to version 5.15.14.19, and Dell ControlVault3 Plus, prior to version 6.2.36.47. These vulnerabilities allow for memory corruption through a specially crafted WinBioControlUnit call. An attacker can exploit this by issuing an API call that triggers the vulnerability, leading to potential information leaks, memory corruption, and crashes of the WinBio Service, which could be exploited for code execution as the SYSTEM user.

Impact

Exploitation of these vulnerabilities causes the WinBio Service to crash, creating a denial-of-service condition. However, the memory corruption could be leveraged for more severe impacts, such as information leaks or code execution with SYSTEM privileges.

Reproduction

The vulnerability can be reproduced by sending a WinBioControlUnit call to the StorageAdapter with the ControlCode 4 (WBIO_USH_ADD_RECORD) and an invalid SendBufferSize. This will trigger an out-of-bounds read, allowing memory to be read past the intended buffer limits.

Remediation

Users can update to Dell ControlVault3 versions 5.15.14.19 or later, or Dell ControlVault3 Plus versions 6.2.36.47 or later. Instructions for downloading the latest versions are available on the Dell Drivers & Downloads site.