Dell Windows drivers still vulnerable to kernel attacks

Windows[German]Users of Dell systems are still at risk of having their Windows systems compromised via Dell drivers through kernel attacks. The problem was supposed to be fixed by updates as early as May 2021. However, security researchers from Rapid7 are now sounding the alarm that these security updates have not closed all vulnerabilities. However, security researchers from Rapid7 are now sounding the alarm that these security updates have not closed all vulnerabilities. True, administrator privileges are required to install the drivers. But it looks like this approach is being used by cyber gangs for attacks. However, there are countermeasures in the business environment.


Advertising

Vulnerability CVE-2021-21551 in Dell drivers

In May 2021, I had reported a security issue with Dell's dbutil_2_3.sys driver for Windows in the blog post Windows driver with vulnerabilities (CVE-2021-21551) puts millions of Dell systems at risk, compromises millions of Dell systems. Security researchers have had discovered multiple vulnerabilities in a driver that has been installed on millions of Dell consumer and enterprise Windows systems for the past 12 years. These vulnerabilities have a severity level of 8 (out of 10) and allow an attacker to perform privilege elevation.

The vulnerability (CVE-2021-21551) in Dell's so-called DBUtil Windows driver left PCs, All-in-One and 2-in-1 systems using this driver vulnerable to security attacks. Dell had issued a security alert DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver, as well as this FAQ.

The driver file may have been installed on virtually any Dell system running the Windows operating system once the firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent or Dell Platform Tags were used. Dell had then updated this driver (see DSA-2021-088) to address the vulnerabilities – that was my status.

Drivers can still be abused

Security researchers at Rapid 7 already pointed out in this post on December 13, 2021 that many cybercriminals abuse Windows drivers for their own purposes to inject malware into systems. This is known as Bring Your Own Vulnerable Driver (BYOVD) attack method. In this attack technique, the attackers try to trick the user into installing a legitimate but vulnerable driver on a target computer. Through this vulnerable driver, the attackers attempt privilege escalation on Windows and then inject code on the target system.

Now, the colleagues at Bleeping Computer have noticed that Rapid 7 states that the driver vulnerabilities CVE-2021-21551 in dbutil_2_3.sys are also exploitable in newer Dell driver versions. Rapid 7 security researchers have developed a Metasploit module that implements the LSA protection attack using the new Dell drivers (dbutildrv2.sys 2.5 and 2.7). An attacker with elevated privileges can use the module to enable or disable process protection for any PID. 


Advertising

Dell drivers are particularly valuable to attackers because they are compatible with Microsoft's latest signing requirements. The likelihood of Dell drivers for Windows being blacklisted is rather low. This is because the drivers are used to update firmware for a large number of products. Preventing users from updating their computers' firmware by blocking drivers does not make sense. Meanwhile, according to Rapid 7, malware uses these Dell drivers for attacks. When Dell was contacted by Rapid 7, the following response came back: 

After careful consideration with the product team, we have classified this issue as a vulnerability rather than a security risk because a certain privilege level is required to perform an attack. This is consistent with the guidance provided in the Windows driver model. We do not intend to publish a security advisory or issue a CVE on this issue.

It is true that driver installation requires administrator privileges. But then an attacker can also attack the kernel via the driver and possibly install root kits, etc. The countermeasure would be to block the installation of the drivers in question via Driver block rules – but Dell drivers are not currently on the list (Dell is working with Microsoft on this, though). Those who have the option to enable Hypervisor-Protected Code Integrity (HVCI) should definitely do so. Furthermore, Secure Boot should at least be enabled.

Similar articles:
Windows driver with vulnerabilities (CVE-2021-21551) puts millions of Dell systems at risk
UpdateUpdate for BIOS/UEFI vulnerabilities in Dell systems
Security vulnerabilities in iDRAC8/9 software put Dell servers at risk


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).