- Apr 24, 2016
Users of Dell systems are still at risk of having their Windows systems compromised via Dell drivers through kernel attacks. The problem was supposed to be fixed by updates as early as May 2021. However, security researchers from Rapid7 are now sounding the alarm that these security updates have not closed all vulnerabilities. True, administrator privileges are required to install the drivers. But it looks like this approach is being used by cyber gangs for attacks. However, there are countermeasures in the business environment.
Response from Dell:
After careful consideration with the product team, we have classified this issue as a vulnerability rather than a security risk because a certain privilege level is required to perform an attack. This is consistent with the guidance provided in the Windows driver model. We do not intend to publish a security advisory or issue a CVE on this issue.
It is true that driver installation requires administrator privileges. But then an attacker can also attack the kernel via the driver and possibly install root kits, etc. The countermeasure would be to block the installation of the drivers in question via Driver block rules – but Dell drivers are not currently on the list (Dell is working with Microsoft on this, though). Those who have the option to enable Hypervisor-Protected Code Integrity (HVCI) should definitely do so. Furthermore, Secure Boot should at least be enabled.