

Details of several high severity vulnerabilities in Dell’s firmware update driver, grouped together as CVE2021-21551 with a CVSS score of 8.8, were published on 4 May 2021 and could lead to privilege escalation,
denial of service and/or information disclosure on affected devices.
Potentially impacting millions of Dell devices shipped since 2009 and running Windows, these vulnerabilities are not yet believed to have been exploited in-the-wild although the publication alongside the release of an update utility could enable higher-sophistication threat actors to determine the cause and craft their own exploits.
Notably, the researchers that discovered these flaws are delaying the release of a privilege escalation proof-of-concept (PoC) until 1 June 2021 to allow time for patching although, upon release, this could see exploitation by lower-sophistication threat actors.
Whilst the list of potentially affected Dell devices includes desktops and laptops from both their business and consumer product lines, the vulnerable update driver is only installed when the firmware update process is initiated and is not present by default on factory-shipped installations.
That being said, organizations that have utilized Dell (or Alienware) firmware update utilities on their Windows installations are potentially vulnerable and should act upon Dell advice, as summarized in this bulletin.
Arising from five specific flaws, including memory corruption, a lack of input validation and code logic issues, exploitation requires the threat actor to have local authenticated access to the vulnerable device, such as acquired through some other malware threat or social engineering.
Once the threat actor has gained access to, and exploited the vulnerable device, the threat actor could gain elevated privileges including the ability to execute arbitrary code with ‘kernel mode’ permissions.
The vulnerable driver, dbutil_2_3.sys
, will only be present on Windows systems that have used Dell update utilities to install BIOS, drivers and firmware, including:
Although some of these utilities are only present on consumer devices, ‘Dell Command | Update’ is explicated listed as an application installed on business platforms and therefore may be deployed in environments that utilize default operating system builds from Dell.
The Dell security advisory ‘DSA-2021-088’ [2] provides tables of both ‘supported’ and ‘end of service’ devices impacted by this vulnerability including products from the following ranges:
Given the need for local authenticated access to exploit these vulnerabilities, a threat actor would need to utilize some other method of initial intrusion, such as the deployment of a malware threat or social engineering a user into allowing access.
Subsequently, exploitation leading to arbitrary code execution with kernel mode privileges could allow end-point security solutions to be bypassed.
%TEMP%
directories:
C:UsersAppDataLocalTempdbutil_2_3.sys
C:WindowsTempdbutil_2_3.sys
[1] https://www.dell.com/support/kbdoc/en-uk/000186019/dsa-2021-088-dell-client-platform-securityupdate-for-dell-driver-insufficient-access-control-vulnerability
[2] https://www.dell.com/support/home/en-uk/drivers/driversdetails?driverid=7PR57