On May 4, 2021, security firm SentinelLabs released details about a security flaw in Dell machines that allows anyone with physical access to the computer to gain elevated privileges. This vulnerability has been around for over a decade, making hundreds of millions of computers vulnerable.
If you are a client, we have already performed the recommended remediation to your computers.
We'll look at the details of this problem, along with how to stay safe.
The Dell Vulnerability Explained
SentinelLabs discovered a flaw in the firmware update driver that Dell uses on its systems, named dbutil_2_3.sys. Importantly, the firmware updates themselves are not infected. Rather, the driver packaged with these firmware updates contains exploits that could be used maliciously.
This driver does not exist by default on Dell computers running Windows. It gets installed when you use utilities like Dell Command Update, Dell SupportAssist, and Alienware Update. These utilities make it easy to check for the latest driver, firmware, and BIOS updates for your system; they're more specific for your computer than the ones Windows Update finds.
Since Dell has been using this driver for firmware updates since 2009, any Dell computer released since that time, that has downloaded any kind of Dell update, could fall victim to attack using this method. You can see a full list of affected models on Dell's page covering this vulnerability.
The vulnerability, assigned CVE-2021-21551, is actually a set of five flaws. Anyone with access to an affected computer can exploit deep technical issues to gain full privileges on the computer. SentinelLabs hasn't provided a proof of concept for these flaws; it is waiting until June 1, 2021 to give Dell time to patch the problem.
Of course, with full control over the machine, someone would be free to bypass security checks, install malware, and do whatever else they wanted. If an organization uses a lot of Dell machines, an attacker could launch a wide-scale attack using these vectors.
While someone with physical access could exploit these issues, you don't necessarily have to be at a computer. A bad actor who obtained access to someone's machine using malware, phishing, or remote access would be able to exploit these problems too.
Dell says it hasn't seen any reports of this being abused in the wild, but given its wide reach, it's likely that attackers will eventually take advantage of it.
How to Stay Safe From the Dell Exploit
If you are a current client, this section has already been taken care of for you.
If you have a Dell machine, the company has issued fixes to keep you safe from this vulnerability. First, it recommends that affected users remove the vulnerable driver from their system.
You can do this manually, but it's easier to do so using Dell's utility. Download the Dell Security Advisory Update - DSA-2021-088 tool and run it on your system to remove the affected driver.
After May 10, 2021, Dell will offer this utility through Dell Command Update, Dell SupportAssist, and its other driver update utilities. Check for updates through those apps to download this utility even more conveniently. Visit Dell's Download notification applications page if you need to reinstall the right utility for your system.
Once you've removed the affected driver, you need to install the latest updates from Dell to make sure that the problematic driver isn't re-introduced on your system in a future update. These updates are available now for Windows 10 users.
Dell says that the updates will be available for Windows 7 and Windows 8.1 by July 31, 2021. If you're on one of those platforms (remember that Windows 7 is no longer supported) and update your firmware before then, you need to re-run the utility linked above again to remove the vulnerable driver.
Since this exploit applies to computers from as far back as 2009, many of the affected machines are no longer supported by Dell. If you're using a computer that's past its end of life, you should still run the driver removal utility. But if you ever install a firmware update in the future, you'll need to run the removal tool again since Dell doesn't offer a patch to fix the issue permanently on these devices.
Staying Safe From a Major Exploit
This security flaw is dangerous because it's so widespread, but thankfully hasn't been abused in any major cases that we know of yet. Dell has worked quickly to patch the issue, so as long as you're not using an old, unsupported machine, installing the latest updates after May 10 will keep you safe.
While you're installing Dell updates, it's a good idea to take the time to update everything else in Windows, too.
Image Credit: Someformofhuman/Wikimedia Commons