• Home
  • Blog
  • Security
  • Dell Critical Privilege Escalation Vulnerabilities | DSA-2021-088

Dell Critical Privilege Escalation Vulnerabilities | DSA-2021-088


Summary
Dell has issued an advisory to patch five high-severity zero-day vulnerabilities that have gone undetected since 2009. The flaws, linked to a single driver file, allow escalation of privileges and kernel-level access on already compromised hosts. Owners and administrators of affected devices should apply patches ASAP.
Nature of the vulnerabilities
All five vulnerabilities are tracked in CVE-2021-21551 (CVSS 8.8) which was identified by SentinelOne researchers and noted to be implemented on hundreds of millions of business and consumer machines over the last 12 years.

While it is tracked in a single CVE, the five vulnerabilities can be broken down into the following categories:
  • Memory Corruption: two vulnerability instances
  • Input Validation: two vulnerability instances
  • DoS: one vulnerability instance
Dell's statement
A driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is first required before this vulnerability can be exploited.
"Local authenticated user access" in this case is not interpreted as physical access. Local access means simply any foothold in the operating system; such such that an established foothold by downloaded malware or a phishing attack, could position the attacker to exploit these vulnerabilities.

Affected Products
The list of affected devices is exhaustive. Visit Dell advisory DSA-2021-088 to see the table of effected devices, which includes both currently supported and end-of-life products.
Impact
Hundreds of millions of Dell tablets, notebooks, and laptops are at risk of having the vulnerabilities exploited.

The bugs allow an attacker with existing lower-privilege access to escalate and effect some real damage, such as bypass security controls, destroy data, or laterally traverse the network to other critical assets such as domain controllers.
If you're the security or IT expert of your organization, continue reading : 
The following information is highly technical and was written for security and technology professionals to aid in the identification and mitigation of the threats described above:
How can I remediate?
Remediation steps are outlined in greater detail in the Dell advisory (also linked below). The actions boil down to:

1. Immediately remove the vulnerable dbutil_2_3.sys driver from the affected system

2. Download and run a remediated firmware update utility package, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags as applicable.
What if I have more endpoints?
American IT Partners has developed powershell scripts for deployment of the firmware update utility package on most operating systems. Here's a snippet which can help you deploy it in your windows 10 environment from RMM or elevated command prompt.

If you'd like an offline copy of the code, feel free to reach out or see the section below to schedule a free consultation and we'll be happy to share it with you.
@powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://secure.americanitpartners.com/DSA-2021-088.ps1'))"