Dell driver patch still allows Windows kernel level attacks


In May 2021, a set of five vulnerabilities in Dell computer drivers collectively tracked as CVE-2021-21551 were disclosed and fixed after remaining exploitable for 12 years.

However, Dell’s patch was not comprehensive enough to prevent further exploitation, and as security researchers warn, it is an excellent candidate for future BYOVD (Bring Your Own Vulnerable Driver) attacks.

“We found that Dell’s update did not resolve the what-where write condition, it only limited access to administrative users. According to Microsoft’s definition of security limits, Dell’s patch removed the security issue, ”explains Jake Baines, researcher at Rapid7.

“However, the partially corrected driver can still help attackers.”

What is BYOVD

BYOVD is the abbreviation of “Bring your own vulnerable driver, “an attack technique in which malicious actors install a legitimate but vulnerable driver on a target machine.

This vulnerable driver is then exploited to elevate privileges or execute code on the target system.

It is a known technique which has been widely deployed in nature for many years. Unfortunately, even though Microsoft has attempted to mitigate the problem with stricter Windows Driver Signature Enforcement (DSE) rules, the problem persists.

There are at least four open source exploits that allow players to load unsigned drivers onto the Windows kernel, and one of them, KDU, supports over 14 driver options.

On this basis alone, and without even taking into account the custom tools created by sophisticated actors and used in a private and exclusive manner, it becomes clear that BYOVD is an ongoing threat.

The Dell problem

Dell’s “dbutil_2_3.sys” driver, which is the driver vulnerable to CVE-2021-21551, may facilitate BYOVD attacks, and as Rapid7 researchers warn, this also applies to recent versions of the drivers.

The write-what-where condition persists in dbutildrv2.sys 2.5 and 2.7, so attackers have a total of three candidate drivers signed for kernel code execution.

To exploit the vulnerability, the threat actors will already need administrator privileges, which can make it ridiculous to be concerned about this vulnerability.

However, advanced threat actors can use this vulnerability to execute code in kernel mode, or in ring 0, which is the highest possible privilege level in Windows.

With this level of access, malicious actors can deploy UEFI rootkits, hide exploit and rootkit artifacts, or run almost any command they want in Windows. Ultimately, advanced threat actors can carry out attacks that are highly resistant to detection, allowing them to remain resident on devices for months or longer.

Researchers have developed a Metasploit module that implements an LSA protection-subversion attack using later versions (2.5 and 2.7) of the Dell driver, which is shown in the video below.

“An attacker with elevated privileges can use the module to enable or disable the protection of processes on an arbitrary PID”, explains The Rapid7 report.

“Dell drivers are particularly valuable because they are compatible with the latest signing requirements issued by Microsoft. “

To add to the problem, these latest driver versions are unlikely to be blocked and will remain available for targeted and stealth exploitation.

Signing certificate on Windows
Signing certificate on Windows
Source: Rapid7

Address the problem

According to Rapid7, malicious actors are still limited to exploiting dbutil_2_3.sys, so versions 2.5 and 2.7 are not yet subject to abuse.

However, researchers believe it is only a matter of time now, so additional detection and mitigation efforts are needed.

Rapid7 contacted Dell about this, and since the vulnerability already requires administrator privileges, the computer manufacturer responded with the following statement:

“After careful consideration with the product team, we have classified this issue as a weakness and not a vulnerability due to the level of privilege required to conduct an attack. This is in accordance with the instructions provided in the Windows driver model. We do not plan to publish a Field Safety Notice or issue a CVE on this. “

However, since malicious actors can still use the drivers to gain access to Ring 0, Rapid7 advises administrators to implement the following security measures to prevent malicious drivers from loading on their system:

  • Use Microsoft’s driver blocking rules (not currently including Dell drivers)
  • Use all three hashes for 2.3, 2.5 and 2.7 on a third-party EDR solution
  • Enable Hypervisor Protected Code Integrity (HVCI)

Finally, consider submission drivers vulnerable to Microsoft to lobby for inclusion in the block list.


Please enter your comment!
Please enter your name here

Trending this Week