"Hundreds of millions" of Dell PCs Being Threatened by Security Flaws - What to Do [updated]

"Hundreds of millions" of Dell PCs Being Threatened by Security Flaws - What to Do [updated]

Hundreds of millions of Dell desktops, laptops, and servers have a serious security flaw that could allow malware to take over their machines.

The flaws, five in all, involve a system driver dating back to 2009 called dbutil_2_3.sys.

Newer Dell machines come with this flawed driver preinstalled, Sentinel One researcher Kasif Dekel said in a report. Older Dell machines may have installed this driver when they updated their BIOS/UEFI or other firmware.

All versions of Windows are affected, but Dell machines running Linux should be fine.

To correct this flaw, Dell has released a tool to remove the incorrect system driver. Enter the Dell model name or service tag, and the tool's web page will provide the correct driver and removal tool.

However, we found that not everyone can use this tool. Our 2018 Dell Latitude 5490 has a fix available, but our 2013 Dell XPS 13 (which works fine with the latest Windows 10 build) was not so lucky.

[CORRECTION: We looked again at the slightly confusing tools page and realized that what it actually says is not that all systems, especially many systems that are out of service, cannot get new drivers to replace the faulty drivers . However, all systems can download and use the tool."]

On May 10, Dell promised an "enhanced" version of its firmware removal and update tool that might resolve some of the above problems. It is difficult to determine this, since neither Dell's security advisory nor its FAQ on the flawed drivers were written with non-IT professionals in mind. [Dell states that you can check to see if the dbutil_2_3.sys driver file is in the file path "C:㊦AppData㊦Local㊦Temp" or "C:㊦Windows㊦Temp". [If so, select that file and hold down the Shift key and click the Delete key on your keyboard to permanently delete that file.

Dekel does not explain exactly how these flaws, summarized in the single vulnerability list CVE-2021-21551, can be exploited.

Sentinel One, Dell, and Microsoft have agreed not to reveal details until users have time to patch the flaws. But the bottom line is that even local users with limited privileges can take advantage of these flaws to "elevate privileges" and gain complete control of the system.

"High severity flaws could allow any user on a computer, even without privileges, to escalate privileges and execute code in kernel mode," Dekel wrote in his company's report. An obvious exploit for such a vulnerability is that it could be used to bypass security products such as antivirus software."

Kernel mode is a system privilege that even users with administrative privileges (the ability to install, update, and remove software) do not normally obtain.

This means that even malware that infects the least privileged user accounts, such as children's accounts, can take advantage of these flaws to add new privileges and completely take over the system.

Here is a video by Sentinel One showing such an exploit in action. On the command line screen, a "weak user" with limited privileges runs a program called "exploit.exe," suddenly giving the "weak user" system-wide privileges.

Dekel said that as of yesterday, when his report was published, there was no indication that the bad guys had taken advantage of these flaws to attack the machines.

A Dell spokesperson said that "even older Dell machines can use the driver removal tool," and that Dell owners will simply start seeing notices that they need to run the tool on May 10.

We were advised to look at the long list of two devices listed in the official Dell Security Advisory. (Our 2013 XPS 13 did not appear to be on either list.)

For devices that are out of service, the Dell representative said that users must take one of the three options in Step 1 of the security advisory: run the driver removal tool as is, remove the driver manually, or wait to be notified on May 10 Wait. The removal of the faulty driver must be done after updating the BIOS/UEFI, other firmware, or other drivers.

.

Categories