Hundreds of millions of Dell desktops, laptops and servers have serious security flaws that could allow malware to take over the machines.
The flaws, five in all, have to do with a system driver dating back to 2009 called dbutil_2_3.sys, which lets the user update a computer’s BIOS/UEFI firmware (the low-level motherboard software that starts up a PC) from Windows.
Newer Dell machines have this flawed driver pre-installed, said Sentinel One researcher Kasif Dekel in a report. Older Dell machines may have installed the driver when the updated their BIOS/UEFI or other firmware.
All versions of Windows are affected, although Dell machines running Linux should be fine.
What you can do now
To fix this flaw, Dell has released a tool that removes the dodgy system driver. You’ll have to input your Dell model name or service tag, and then the tool’s web page should provide the correct driver along with the removal tool.
However, we found that not everyone can use the tool. While there’s a fix available for our 2018 Dell Latitude 5490, our 2013 Dell XPS 13 (which runs the latest Windows 10 build just fine) is out of luck.
We’re not sure if that means that the XPS 13 didn’t ship with the driver in question, or if Dell just doesn’t care about eight-year-old machines. But we’ll ask Dell and will update this story when we get an answer.
Dell is promising an “enhanced” version of the firmware-removal-and-update tool on May 10 that may resolve some of the issues above. It’s hard to tell because neither Dell’s security advisory nor its FAQ about the flawed driver were written with anyone but IT professionals in mind.
Alternately, Dell says, you can see if the dbutil_2_3.sys driver file is in the filepaths “C:Users<username>AppDataLocalTemp” or “C:WindowsTemp”.
If it is, then select it and click the Delete key on your keyboard while holding down the Shift key to permanently delete the file.
How the flaws let hackers take over your machine
Dekel isn’t explaining exactly how these flaws, grouped together in the single vulnerability listing CVE-2021-21551, can be exploited.
Sentinel One, Dell and Microsoft agree that they won’t divulge the details until users have had some time to patch the flaws. But the upshot is that a local user, even one with limited privileges, can use these flaws to “escalate privileges” and gain full system control.
“The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode,” wrote Dekel in his company’s report. “Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products” such as antivirus software.
Kernel mode is a system privilege that even users with administrative privileges — the ability to install, update and delete software — don’t normally get.
This means that malware that infects even the least-privileged user account — say, one belonging to a child — can use these flaws to add new powers and totally take over the system.
Here’s a video by Sentinel One that shows one of these exploits in action. The command-line screens show a “weak user” with limited privileges running a program called “exploit.exe” that suddenly gives the “weak user” a whole lot of system privileges.
Dekel said that as of yesterday, when his report was released, there was no indication that any bad guys had used these flaws to attack machines.