Full Report
Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.
Analysis Summary
# Vulnerability: ReVault: Critical Vulnerabilities in Dell ControlVault Firmware and APIs Leading to Persistence and Physical Bypass
## CVE Details
- CVE ID: CVE-2025-24311 (Out-of-bounds)
- CVE ID: CVE-2025-25050 (Out-of-bounds)
- CVE ID: CVE-2025-25215 (Arbitrary Free)
- CVE ID: CVE-2025-24922 (Stack Overflow)
- CVE ID: CVE-2025-24919 (Unsafe Deserialization in Windows APIs)
- CVSS Score: Not explicitly stated, but impact suggests High/Critical.
- CWE: Various (Out-of-bounds Write/Read, Use After Free, Stack Overflow, Deserialization of Untrusted Data)
## Affected Systems
- Products: Dell ControlVault (CV) Firmware (ControlVault3 and ControlVault3+), associated Windows APIs.
- Versions: Affects **100+** models of Dell Laptops using CV3/CV3+. Specific models listed in **DSA-2025-053**.
- Configurations: Widely used in Latitude and Precision series laptops, often in environments utilizing security peripherals (fingerprint, smart card, NFC).
## Vulnerability Description
The vulnerabilities reside in the ControlVault3/ControlVault3+ firmware and its communication APIs on Windows. These flaws include multiple out-of-bounds conditions (CVE-2025-24311, CVE-2025-25050), an arbitrary free (CVE-2025-25215), and a stack overflow (CVE-2025-24922), all affecting the firmware handling. Additionally, an unsafe deserialization vulnerability (CVE-2025-24919) impacts the ControlVault Windows APIs.
These combined weaknesses allow for Arbitrary Code Execution (ACE) on the CV firmware, even by a non-administrative Windows user interacting via the APIs.
## Exploitation
- Status: PoC available (Demonstrated for post-compromise pivot and physical attack bypass).
- Complexity: Low (For API interaction/triggering ACE from non-admin user), Medium (For physical attack resulting in firmware modification).
- Attack Vector: Adjacent (via APIs by low-privilege user), Physical (by local attacker accessing the USH board).
### Impact Scenarios:
1. **Post-Compromise Persistence:** A non-admin user triggers ACE on the firmware, leaks key material, and permanently modifies firmware to create a persistent implant that survives Windows reinstalls.
2. **Physical Attack Bypass:** A local attacker with physical access can tamper with the firmware via the USH board/USB. This can bypass Windows Login or allow any local user to gain Admin/System privileges. It can also allow tampering to accept *any* fingerprint if fingerprint unlock is configured.
## Impact
- Confidentiality: High (Potential to leak key material).
- Integrity: High (Firmware can be permanently modified/implanted; privilege escalation possible).
- Availability: Medium (Denial of service might be possible via faulty firmware execution).
## Remediation
### Patches
- Vendors are releasing patches. Users should ensure the latest firmware is installed.
- **Action:** Keep the system up to date. CV firmware can be deployed via Windows Update, but often appears on the Dell website first. Check Dell advisory **DSA-2025-053** for specific version updates.
### Workarounds
1. Disable ControlVault services using the **Service Manager** and/or disable the ControlVault device via the **Device Manager** if security peripherals (fingerprint, smart card, NFC) are not in use.
2. Consider disabling fingerprint login when physical security risk is heightened (e.g., leaving unattended).
3. Enable and rely on Windows **Enhanced Sign-in Security (ESS)**, which may help detect inappropriate firmware changes.
## Detection
- **Indicators of Compromise (IoCs):**
- Unexpected crashes of the Windows Biometric Service in Windows logs.
- Unexpected crashes of Credential Vault services in Windows logs.
- **Detection Methods and Tools:**
- Enable chassis intrusion detection in the computer’s BIOS to flag physical tampering.
- Cisco Secure Endpoint users can look for the signature definition: **“bcmbipdll.dll Loaded by Abnormal Process”**.
## References
- Vendor Advisory: **Dell DSA-2025-053** (Referenced for affected models)
- Research Details: Talos security advisories documenting the findings.
- Relevant Link: dell dot com/support/home/en-vc/drivers/driversdetails?driverid=twf65 (Dell ControlVault overview)