By Randy Becker, VP & Principal Security Architect
On May 4, 2021, SentinelLabs posted that they had discovered five Dell security bugs collectively tracked as CVE-2021-21551. This local privilege-escalation (LPE) has a CVSS vulnerability-severity rating of 8.8 out of 10. SentinelLabs proactively reported their findings to Dell on Dec 1, 2020. These five high-severity security vulnerabilities in Dell’s firmware update driver have the potential to impact hundreds of millions of Dell desktops, laptops, notebooks, and tablets.
These vulnerabilities could permit threat actors to escalate privileges from a non-admin user account to kernel mode privileges! If you are like our security team, we immediately went to work thinking of creative ways to bypass security controls, run malicious code, then simply pivot to other devices on the network for lateral movement during red-teaming exercises.
What to do if you are affected
According to Dell Security Advisory Update - DSA-2021-088 the vulnerability exists in the dbutil_2_3.sys driver. “This driver file may have been installed on your Dell Windows operating system when you used firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags, including when using any Dell notification solution to update drivers, BIOS, or firmware for your system. To best protect yourself, Dell recommends removing the dbutil_2_3.sys driver from your system” Dell provides 3 options for removal until a replacement is released on May 10, 2021. Per Dell's security advisory “Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.”
Dell did make this simple and provided a single CVE to cover all the vulnerabilities impacting the dbutil_2_3.sys driver. The detail on CVE-2021-21551 covers these five separate flaws with Local Privilege Escalation (LPE) and DoS:
LPE #1 – Memory corruption
LPE #2 – Memory corruption
LPE #3 – Lack of input validation
LPE #4 – Lack of input validation
Denial of Service – Code logic issue
In the post from SentinelLabs, they describe some of the general problems with the dbutil_2_3.sys. They are holding off sharing the PoC code “However, to enable Dell customers the opportunity to remediate this vulnerability, we are withholding sharing our Proof of Concept until June 1, 2021. That proof of concept will demonstrate the first local EOP which arises out of a memory corruption issue.”
Important steps we should all be taking:
- Follow Dell's recommendations in their advisory.
- Review the Affected Products and Remediation to determine if you impacted.
- Review the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability and risk associated with this vulnerability.
- Review the three options provided by Dell to determine how you plan to remediate. (Note until May 10, 2021, the only option is to remove the driver, either manually or with their tool)
If you need help with this issue, reach out to your GreenPages Account Manager or reach out to us!
Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation. Randy is also a HITRUST Certified CSF Practitioner (CCSFP) which ensures clients have access to the highest level of expertise related to privacy, security, compliance, and risk management.