Millions Of Dell Devices At Risk Due To A Vulnerable Driver

Brock Bingham candid headshot
Brock Bingham|Updated May 17, 2021
image (91)
image (91)

We've got a live one, folks.  If you're a Dell shop, buckle up because this ride might get a little bumpy.  The security research firm SentinelLabs has found five high severity flaws in Dell's firmware update driver.  The driver, which comes pre-installed on most Dell machines, has been in use since at least 2009, meaning this driver is most likely installed on millions if not hundreds of millions of Dell computers. So if you have a Dell or manage Dell computers, you are most likely affected by these vulnerabilities and will need to take action.

On The Loose For 12 Years

The specific driver in question is dbutil_2_3.sys.  The driver is responsible for Dell Firmware Updates via the Dell Bios Utility and is installed on desktops, laptops, and tablets and can be found on both personal and enterprise-level equipment.  Kasif Dekel, the security researcher who discovered the vulnerabilities, was alerted to the driver using the application Process Hacker, which can notify users as processes get created or deleted.  This led Kasif to discover five separate vulnerabilities.  Four of these vulnerabilities, if exploited, can lead to an elevation of privileges from a non-administrator to kernel mode privileges and another code logic issue that can result in a denial of service.  All five of these vulnerabilities are being tracked under one CVE, which is CVE-2021-21551.  Dell goes into more detail about the affected drivers and systems on this Dell Security Advisory DSA-2021-088 page.

Locating Affected Machines With PDQ Inventory

This may come as a shock to some, but the first thing Dell recommends doing is to remove the affected driver.  I know, crazy.  Luckily, with the help of PDQ Inventory, we can quickly scan our environment for affected devices.  Dell has listed the following locations to check for the driver file:

C:\Users\<username>\AppData\Local\Temp\

and

C:\Windows\Temp

Since we know where to narrow down our search, we can create a Files & Directories scanner to search for devices that have the culprit file.

  1. With PDQ Inventory open, click Scan Profiles.

  2. Click New

  3. Give your new scan profile a descriptive name

  4. Click Add

  5. Click Files & Directories

  6. Make sure File is selected for the Type, then add these two entries into the Include Pattern(s) field.

    dv1
  7. Click OK

  8. Click OK at the Scan Profile window

    dv2

With our scanner created, we can now run it against our computers.  Right-click on All Computers, then click Scan Collection > "New Scanner Name"

dv3

Once the scanner starts, you can view the scan status of each computer in the All Computers view.

dv4

Once the scan completes, double-click on any computer to open the computer details window. Next, click on the Files & Directories menu item to view the results of the scan.

dv5

As you can see in the above image, the scan found the file in four locations on this computer.

Creating A Dynamic Collection Of Computers With The Driver File

Before we remove the file from the affected computers, we want to make sure we only target the devices that have the dbutil_2_3.sys file.  We don't want to waste bandwidth and resources trying to remove the file from computers that don't have it.  The easiest way to do this is to create a dynamic collection in PDQ Inventory.

  1. With PDQ Inventory open, click New Dynamic Collection

  2. Enter a descriptive name for the collection

  3. Add the following filter:  Files & Directories > Name > Contains > dbutil_2_3.sys

    dv6
  4. Click OK

  5. The new dynamic collection should appear in the menu with the rest of your dynamic collections, and it should give you a number of how many computers are members of the collection

    dv7
  6. Clicking on the collection should give you the list of all the computers that contain the driver file

    dv8

Using PowerShell And PDQ Deploy To Remove The Files

Alright, now that we've got our computers neatly organized into a dynamic collection, we can proceed to remove the vulnerable files with extreme prejudice.  With PDQ Deploy, we can build and deploy a PowerShell package that checks for the files and terminates them.

  1. With PDQ Deploy open, click New Package

  2. Give your package a worthy name

  3. Click New Step > PowerShell

  4. Add the following PowerShell script:


    dv9
  5. Now let's add a scan step to ensure the file is removed after the script runs.  Click New Step > Scan

  6. For the Scan Profile, select the scan profile we created in PDQ Inventory

    dv11
  7. Click Save

Now that our package has been created let's first test it out to ensure it's working correctly before deploying it to all affected machines.

  1. Right-click on the package and click Deploy Once

  2. Enter a computer that you know has the driver file

    dv10
  3. Click Deploy Now

PDQ Deploy will send out the package, which will remove the files from the machine you selected.  Once the deployment is complete, the computer will be scanned to ensure the file was removed.  If everything is successful, you can send the package out to a broader test group, or, if you've got more faith than George Michael's 1987 hit song, then go ahead and deploy that package to the entire dynamic collection.  Follow the same steps as above, except for step 2, select Choose Targets > PDQ Inventory > Collection,  then select the dynamic collection we created in PDQ Inventory and click OK.

dv12

Once the deployment finishes, check the dynamic collection in PDQ Inventory to ensure that all of the computers had the files removed successfully.  If some devices were offline and didn't receive the package, you can create a schedule with a heartbeat trigger in PDQ Deploy, sending the package out to those missed computers as they come online.  You can find out more about creating schedules with dynamic collections and heartbeat triggers in this blog post.

Wrapping Up

After removing the files, Dell recommends obtaining and running a remediated firmware update utility package to keep the vulnerable driver from returning in an accidental update in order to perform a dell security advisory update silent install. You can find out more about the utility needed for your systems on the Dell Security Advisory DSA-2021-088 page.

PDQ Inventory and PDQ Deploy make scanning for and removing vulnerable files from your systems a walk in the park.  If you don't already use PDQ Inventory and PDQ Deploy, go download our free 14-day trial.  If you manage hundreds or even thousands of Dell machines, now's the perfect time to try out our products.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles