Vulnerable Dell driver puts hundreds of millions of systems at risk (fixed driver available from Dell)

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,012
A driver that’s been pushed for the past 12 years to Dell computer devices for consumers and enterprises contains multiple vulnerabilities that could lead to increased privileges on the system.
It is estimated that hundreds of millions of Dell computers, from desktops and laptops to tablets, received the vulnerable driver through BIOS updates.

Five flaws in one
A collection of five flaws, collectively tracked as CVE-2021-21551, have been discovered in DBUtil, a driver from that Dell machines install and load during the BIOS update process and is unloaded at the next reboot.
Looking closer at the DBUtil driver, Kasif Dekel, a security researcher at cybersecurity company Sentinel One, found that it can be exploited “to escalate privileges from a non-administrator user to kernel mode privileges.”
Code from an attacker running with this level of permissions would have unrestricted access to all hardware available on the system, including referencing any memory address.
This type of vulnerability is not considered critical because an attacker exploiting it needs to have compromised the computer beforehand. However, it allows threat actors and malware to gain persistence on the infected system.
Although there is a single tracking number, Dekel says that there are five separate flaws, most of them leading to privilege escalation and one code logic issue that leads to denial of service.
The researcher provides technical information in a blog post today but holds back the details for triggering and exploiting the flaws to give users time to apply the patch. He plans to share proof-of-concept exploit code on June 1st.

Dekel says that Dell has prepared a security advisory for this vulnerability. The remedy is a fixed driver but the researcher says that at the moment of writing the report the company had not revoked the certificate for the vulnerable driver, meaning that an adversary on the network can still use it in an attack.
 

mkoundo

Level 5
Verified
Jul 21, 2017
245

  • Option 2: Manually remove the vulnerable dbutil_2_3.sys driver:
Step A: Check the following locations for the dbutil_2_3.sysdriver file
  • C:\Users\<username>\AppData\Local\Temp
  • C:\Windows\Temp
Step B: Select the dbutil_2_3.sys file and hold down the SHIFT key while pressing the DELETE key to permanently delete.

Note: if you usually use a standard user account, you'll need to log into your admin account.
 
Top