Security News > 2021 > December > Dell driver fix still allows Windows Kernel-level attacks

Dell driver fix still allows Windows Kernel-level attacks
2021-12-13 20:21

Dell's fix wasn't comprehensive enough to prevent additional exploitation, and as security researchers warn now, it is an excellent candidate for future Bring Your Own Vulnerable Driver attacks.

"However, the partially fixed driver can still help attackers."

What's BYOVD. BYOVD is the abbreviation for "Bring Your Own Vulnerable Driver," an attack technique in which threat actors install a legitimate but vulnerable driver on a target machine.

There are at least four open-source exploits enabling actors to load unsigned drivers onto the Windows kernel, and one of them, KDU, supports over 14 driver options.

Dell's 'dbutil 2 3.sys' driver, which is the driver that is vulnerable to CVE-2021-21551, can facilitate BYOVD attacks, and as Rapid7 researchers warn, this applies to recent driver versions too.

"After careful consideration with the product team, we have categorized this issue as a weakness and not a vulnerability due to the privilege level required to carry out an attack. This is in alignment with the guidance provided in the Windows Driver Model. We are not planning on releasing a security advisory or issuing a CVE on this."


News URL

https://www.bleepingcomputer.com/news/security/dell-driver-fix-still-allows-windows-kernel-level-attacks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-05-04 CVE-2021-21551 Unspecified vulnerability in Dell Dbutil 2 3.Sys
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure.
local
low complexity
dell
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Dell 1764 98 476 312 95 981