Introduction
Details of several high severity vulnerabilities in Dell’s firmware update driver, grouped together as CVE2021-21551 with a CVSS score of 8.8, were published on 4 May 2021 and could lead to privilege escalation,
denial of service and/or information disclosure on affected devices.
Potentially impacting millions of Dell devices shipped since 2009 and running Windows, these vulnerabilities are not yet believed to have been exploited in-the-wild although the publication alongside the release of an update utility could enable higher-sophistication threat actors to determine the cause and craft their own exploits.
Notably, the researchers that discovered these flaws are delaying the release of a privilege escalation proof-of-concept (PoC) until 1 June 2021 to allow time for patching although, upon release, this could see exploitation by lower-sophistication threat actors.
Whilst the list of potentially affected Dell devices includes desktops and laptops from both their business and consumer product lines, the vulnerable update driver is only installed when the firmware update process is initiated and is not present by default on factory-shipped installations.
That being said, organizations that have utilized Dell (or Alienware) firmware update utilities on their Windows installations are potentially vulnerable and should act upon Dell advice, as summarized in this bulletin.
Arising from five specific flaws, including memory corruption, a lack of input validation and code logic issues, exploitation requires the threat actor to have local authenticated access to the vulnerable device, such as acquired through some other malware threat or social engineering.
Once the threat actor has gained access to, and exploited the vulnerable device, the threat actor could gain elevated privileges including the ability to execute arbitrary code with ‘kernel mode’ permissions.
Impact
The vulnerable driver, dbutil_2_3.sys, will only be present on Windows systems that have used Dell update utilities to install BIOS, drivers and firmware, including:
- Alienware Update
- Dell Command | Update
- Dell Platform Tags
- Dell SupportAssist
- Dell System Inventory Agent
- Dell Update
Although some of these utilities are only present on consumer devices, ‘Dell Command | Update’ is explicated listed as an application installed on business platforms and therefore may be deployed in environments that utilize default operating system builds from Dell.
The Dell security advisory ‘DSA-2021-088’ [2] provides tables of both ‘supported’ and ‘end of service’ devices impacted by this vulnerability including products from the following ranges:
- Dell ChengMing
- Dell Gx
- Dell Embedded Box PC
- Dell Inspiron
- Dell Latitude
- Dell OptiPlex
- Dell Precision
- Dell Vostro
- Dell XPS
- Dell Dock WD15/WD19
- Dell Thunderbolt Dock TB16/TB18DC
Given the need for local authenticated access to exploit these vulnerabilities, a threat actor would need to utilize some other method of initial intrusion, such as the deployment of a malware threat or social engineering a user into allowing access.
Subsequently, exploitation leading to arbitrary code execution with kernel mode privileges could allow end-point security solutions to be bypassed.
Recommendations
- Organizations with Dell deployments using Windows are recommended to determine if Dell update utilities are present on their systems and, if so, identify the presence of the vulnerable driver in the following
%TEMP%directories:C:UsersAppDataLocalTempdbutil_2_3.sysC:WindowsTempdbutil_2_3.sys
- If found, Dell recommends immediately removing the vulnerable driver using either the DSA-2021- 088 update package [2] or by manually, and permanently, deleting the file(s).
- To prevent the vulnerable driver from being redeployed, Dell recommends that ‘remediated’ releases of their update utilities are installed. Versions for Windows 10 are available at the time of writing whilst updates for Windows 7 (an end-of-life operating system) and Windows 8.1 are expected to be released by 31 July 2021.
- Organizations using unsupported hardware, or those not immediately deploying ‘remediated’ update utilities, will need to follow the removal process should firmware updates be performed in the interim period.
References
[1] https://www.dell.com/support/kbdoc/en-uk/000186019/dsa-2021-088-dell-client-platform-securityupdate-for-dell-driver-insufficient-access-control-vulnerability
[2] https://www.dell.com/support/home/en-uk/drivers/driversdetails?driverid=7PR57
Related Articles
