A high-severity privilege escalation vulnerability has been identified in Dell ControlVault3 software, affecting multiple Dell products. This flaw allows a local user with basic permissions to gain full administrative control over an affected system. Successful exploitation could lead to a complete system compromise, enabling an attacker to steal sensitive data, install malicious software, or disrupt operations.

This vulnerability is a local privilege escalation flaw within the Dell ControlVault WBDI Driver. Specifically, the WBIO_USH_ADD_RECORD function does not properly validate input sent from a user-mode application. A local attacker with low-level user privileges can craft a malicious request to this driver function, causing a buffer overflow or memory corruption in the kernel. This allows the attacker to execute arbitrary code with SYSTEM-level privileges, resulting in a complete compromise of the host machine's confidentiality, integrity, and availability.

This vulnerability is rated as High severity with a CVSS score of 8.7. A successful exploit would allow a malicious actor who has already gained initial low-privileged access (e.g., through phishing or another vulnerability) to escalate their privileges to the highest level on the system. This could lead to severe consequences, including the theft of sensitive corporate data, deployment of ransomware, installation of persistent backdoors for long-term access, and the ability to use the compromised system as a pivot point to attack other resources on the corporate network.

Immediate Action:

• Immediately apply the security update provided by Dell to upgrade the ControlVault3 software to version 5 or a later, patched version.
• Conduct an audit of user accounts and permissions on all Dell endpoints to ensure the principle of least privilege is strictly enforced, limiting the potential impact of an initial compromise.

Proactive Monitoring:

• Utilize Endpoint Detection and Response (EDR) solutions to monitor for suspicious processes interacting with the ControlVault driver (bioush.sys or similar).
• Monitor system logs for unexpected crashes or errors related to the ControlVault service, which could indicate failed exploitation attempts.
• Create alerts for any low-privilege user processes attempting to spawn shells or other processes with elevated (SYSTEM/Administrator) privileges.

Compensating Controls:

• If immediate patching is not feasible, implement application whitelisting to prevent unauthorized executables (i.e., an attacker's payload) from running on the system.
• Ensure Host-Based Intrusion Prevention Systems (HIPS) are enabled and configured to detect and block common privilege escalation techniques.
• Restrict physical access to devices and enforce strong password policies to reduce the risk of an attacker gaining initial low-privileged access.

Public Exploit Available: false

Due to the High severity (CVSS 8.7) of this vulnerability, we strongly recommend that organizations prioritize patching all affected Dell systems immediately. A successful exploit grants an attacker complete control over a workstation, posing a significant risk to the organization. While this vulnerability is not currently on the CISA KEV catalog, its direct path to full system compromise makes it an attractive target for attackers. The deployment of the vendor-supplied patch for Dell ControlVault3 should be treated as a critical priority to prevent potential system takeovers, data breaches, and lateral movement across the network.