Security News > 2021 > December > Dell driver fix still allows Windows Kernel-level attacks
Dell's fix wasn't comprehensive enough to prevent additional exploitation, and as security researchers warn now, it is an excellent candidate for future Bring Your Own Vulnerable Driver attacks.
"However, the partially fixed driver can still help attackers."
What's BYOVD. BYOVD is the abbreviation for "Bring Your Own Vulnerable Driver," an attack technique in which threat actors install a legitimate but vulnerable driver on a target machine.
There are at least four open-source exploits enabling actors to load unsigned drivers onto the Windows kernel, and one of them, KDU, supports over 14 driver options.
Dell's 'dbutil 2 3.sys' driver, which is the driver that is vulnerable to CVE-2021-21551, can facilitate BYOVD attacks, and as Rapid7 researchers warn, this applies to recent driver versions too.
"After careful consideration with the product team, we have categorized this issue as a weakness and not a vulnerability due to the privilege level required to carry out an attack. This is in alignment with the guidance provided in the Windows Driver Model. We are not planning on releasing a security advisory or issuing a CVE on this."
News URL
Related news
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- New Windows Driver Signature bypass allows kernel rootkit installs (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-05-04 | CVE-2021-21551 | Unspecified vulnerability in Dell Dbutil 2 3.Sys Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. | 7.8 |