News

'Millions' of Dell Windows PCs Contain 'Critical' Driver Vulnerability

• By Kurt Mackie
• 05/05/2021

Dell on Tuesday issued a support article describing a "Critical" vulnerability in the Dell dbutil driver affecting most Windows-based Dell computer users.

The vulnerability (CVE-2021-21551) is ranked at 8.8 on the Common Vulnerability Scoring System ranking, on a scale of 1 to 10 in severity. Users of Dell computers running Windows 7, Windows 8.1 and Windows 10 systems are urged to apply some remediation steps to "immediately remove" the driver, "dbutil_2_3.sys."  

Removal Options
The driver can either be manually removed or users can run "the Dell Security Advisory Update – DSA-2021-088 utility" to automatically remove it.

Alternatively, users of Dell notification solutions can use that service to run the DSA-2021-088 utility starting "on or after May 10, 2021" to remove the driver.

'Hundreds of Millions' Affected
The vulnerability affects "hundreds of millions" of Windows-based Dell machines as it's been in the driver since 2009, according to a post by SentinelLabs

It was SentinelLabs that initially tipped off Dell to the flaw -- back on December 1, 2020. The vulnerable driver is part of various BIOS update utilities released by Dell over the years and could give an attacker Windows "kernel mode privileges," SentinelLabs indicated.

"These multiple high severity vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges," the SentinelLabs post stated.

Neither Dell nor SentinelLabs have so far observed active attacks exploiting the driver vulnerability. However, the flaw offers various attack avenues, per Dell's support article description:

Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.

While local authentication by an attacker on a Dell Windows machine is needed to exploit the driver vulnerability, an exploit could be carried out by someone with remote access to such a machine, Dell explained in an FAQ document. Such access could get enabled by phishing or planting malware.

"A malicious actor would first need to be granted access to your PC, for example through phishing, malware or by you granting remote access," the FAQ further explained.

Another restriction for attackers is that the "the dbutil_2_3.sys driver must be loaded into memory when an administrator runs one of the impacted firmware update utility packages," Dell's FAQ indicated.

Apparently, just having dbutil_2_3.sys latent on a Windows system doesn't enable the exploit, but it's a concern if Dell's firmware update utilities are used.

Driver Distribution
Dell's support article explained that its dbutil_2_3.sys driver doesn't come preinstalled. It just gets put on Windows-based Dell PCs if any of the following firmware update services were used:

• Dell firmware update utility packages
• Dell Command Update
• Dell Update
• Alienware Update
• Dell System Inventory Agent or
• Dell Platform Tags, "including when using any Dell notification solution to update drivers, BIOS, or firmware for your system."

This vulnerability is just associated with Dell Windows machines. Dell clarified in the FAQ document that the dbutil_2_3.sys driver didn't arrive through the Windows Update service -- it's just a problem with Dell's firmware driver that gets updated by Dell's solutions.

Possible Certificate Issue
SentinelLabs offered generally positive views regarding Dell's response to its findings. However, it criticized Dell for not revoking a certificate associated with the vulnerable driver.

"While Dell is releasing a patch (a fixed driver), note that the certificate was not yet revoked (at the time of writing)," SentinelLabs noted. "This is not considered best practice since the vulnerable driver can still be used in a BYOVD attack as mentioned earlier."