• Home
  • Blog
  • Security
  • Dell Critical Privilege Escalation Vulnerabilities | DSA-2021-088

Dell Critical Privilege Escalation Vulnerabilities | DSA-2021-088


Summary
Dell has issued an advisory to patch five high-severity zero-day vulnerabilities that have gone undetected since 2009. The flaws, linked to a single driver file, allow escalation of privileges and kernel-level access on already compromised hosts. Owners and administrators of affected devices should apply patches ASAP.
Nature of the vulnerabilities
All five vulnerabilities are tracked in CVE-2021-21551 (CVSS 8.8) which was identified by SentinelOne researchers and noted to be implemented on hundreds of millions of business and consumer machines over the last 12 years.

While it is tracked in a single CVE, the five vulnerabilities can be broken down into the following categories:
  • Memory Corruption: two vulnerability instances
  • Input Validation: two vulnerability instances
  • DoS: one vulnerability instance
Dell's statement
A driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is first required before this vulnerability can be exploited.
"Local authenticated user access" in this case is not interpreted as physical access. Local access means simply any foothold in the operating system; such such that an established foothold by downloaded malware or a phishing attack, could position the attacker to exploit these vulnerabilities.

Affected Products
The list of affected devices is exhaustive. Visit Dell advisory DSA-2021-088 to see the table of effected devices, which includes both currently supported and end-of-life products.
Impact
Hundreds of millions of Dell tablets, notebooks, and laptops are at risk of having the vulnerabilities exploited.

The bugs allow an attacker with existing lower-privilege access to escalate and effect some real damage, such as bypass security controls, destroy data, or laterally traverse the network to other critical assets such as domain controllers.
If you're the security or IT expert of your organization, continue reading : 
The following information is highly technical and was written for security and technology professionals to aid in the identification and mitigation of the threats described above:
How can I remediate?
Remediation steps are outlined in greater detail in the Dell advisory (also linked below). The actions boil down to:

1. Immediately remove the vulnerable dbutil_2_3.sys driver from the affected system

2. Download and run a remediated firmware update utility package, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags as applicable.
What if I have more endpoints?
American IT Partners has developed powershell scripts for deployment of the firmware update utility package on most operating systems. Here's a snippet which can help you deploy it in your windows 10 environment.  

The snippet below is incomplete, as the backslashes are truncated from the URIs and you need to host a zip compressed copy of the driver update utility on your own web host. If you'd like a functional copy of the code, feel free to reach out or see the section below to schedule your free consultation.
$Localpath = "C:ProgramDataAITPhotfixDSA-2021-088"
$Executable = ($Localpath + "" + "DBUtilRemovalTool.exe")
$HttpDownloadURI = "https://secure.americanitpartners.com/DSA.zip"
$localZip = "C:ProgramDataAITPhotfixDSA.zip"
$FileExists = (Test-Path -Path $Executable -PathType Leaf)
$DropperFile = ($env:ProgramData + "AITPhotfixDSA-2021-088patching-done.info")
$DropperExists = (Test-Path -Path $DropperFile -PathType Leaf)
$SilentSwitch = "/s"

Set-ExecutionPolicy Bypass -Scope Process -Force
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing")
[void] [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$computerSystem = (Get-WmiObject -Class:Win32_ComputerSystem)
Add-Type -AssemblyName 'System.Windows.Forms'
Add-Type -AssemblyName Microsoft.VisualBasic

if ($computerSystem.Manufacturer -like "*Dell*"){Write-Host "THIS IS A DELL"}
else {
Write-Host "Not a Dell"
exit
}

if (-not $FileExists) {
New-Item C:ProgramDataAITP -type directory -force
New-Item C:ProgramDataAITPhotfix -type directory -force
New-Item $Localpath -type directory -force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; Invoke-WebRequest -Uri $HttpDownloadURI -OutFile $localZip
Expand-Archive -LiteralPath $localZip -DestinationPath $Localpath -Force
}

if (-not $DropperExists) {

$p = Start-Process $Executable -ArgumentList $SilentSwitch -wait -NoNewWindow -PassThru | % { Write-Host . -NoNewline; sleep 1 }

$startExe = new-object System.Diagnostics.ProcessStartInfo -args PowerShell.exe

$startExe.open
New-Item -Path $DropperFile -ItemType File
}