Multiple exploits have been found in one of Dell’s Windows kernel drivers. The five related bugs, which may lead to escalation of privileges, denial of service, or information disclosure, are collectively classified as CVE-2021-21551.
Dell issued a patch for these vulnerabilities on May 4th, 2021 and we recommend you apply it earliest opportunity.
The bugs go all the way back to 2009, and Dell’s official list of affected products stretches for many pages. As a result, the challenge for IT teams is identifying whether your organization is impacted by this issue, the scope of that impact, and how to focus your time and remediation efforts appropriately.
Query with Sophos EDR
Sophos Endpoint Detection and Response (EDR) makes it easy to identify whether you have the file associated with this vulnerability on a device, and how many devices have that file. This allows you to focus remediation efforts and quickly address the issue.
We have created a custom EDR query that identifies which endpoints across your estate require your attention. It also confirms which endpoints do not have the file associated with CVE-2021-21551.
Go to the Threat Analysis Center in Sophos Central, select Live Discover and create a new query.
Cut and paste the query below:
-- Check if the dbutil_2_3.sys file is present or not SELECT CASE WHEN (SELECT 1 FROM file WHERE path LIKE 'C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys' OR path LIKE 'C:\Windows\Temp\dbutil_2_3.sys') = 1 THEN 'SYSTEM REQUIRES ATTENTION: File for CVE-2021-21551 (dbutil_2.3.sys) located in directory '|| (SELECT directory FROM file WHERE path LIKE 'C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys' OR path LIKE 'C:\Windows\Temp\dbutil_2_3.sys') ELSE 'File for CVE-2021-21551 (dbutil_2_3.sys) not found' END Status
Run the query across your estate.
Remediating impacted devices
Dell has provided instructions for manually removing the affected kernel driver, which it advises will be found in one of two places:
- C:\Users\%USERNAME%\AppData\Local\Temp\dbutil_2_3.sys
- C:\Windows\Temp\dbutil_2_3.sys
If you are nervous about removing system files by hand, Dell has published a download page with an automatic driver remover.
Learn more
For more information on the vulnerability and how it can be exploited, read the Sophos Naked Security article.
Sophos EDR is available for both endpoints and servers and is included in Intercept X subscriptions. You can run it for free, for thirty days:
- Sophos customers using Sophos Central can activate a free trial directly within their management console. Simply select Free Trials at the bottom of the left hand navigation bar.
- Anyone not using Sophos can start a free trial via our website.
Viral Shah
Hi Sophos!
Can’t we use the SHA256 mentioned at https://www.dell.com/support/kbdoc/en-in/000186020/additional-information-regarding-dsa-2021-088-dell-driver-insufficient-access-control-vulnerability to hunt for the files, instead of the path based approach.
Sally Adam
Hi,
yes you can. That is the beauty of EDR -there are multiple ways to achieve the goal.
Del
Sophos needs transparency. Is this something that is NOT protected by EDR?
Sally Adam
Sophos EDR has our best protection, that will detect and prevent different threats and exploits through multiple layers of defense. It also enables customers to hunt for threats in their environment, like this Dell vulnerability.
Muhammad
The question is not actually related to this vulnerability, but can you please help me modify/ extend this query to check for another vulnerability?
Suppose i am looking for a specific file (HTML) in a user’s system (which can be done using above query) and then i want to check if specific parameter has True value in the file?
Let me know How can i read an HTML file and check if specific text is written in the file or not. Thank you!
Sally Adam
The Sophos EDR community forum is the best place to go for help with questions like these: https://community.sophos.com/intercept-x-endpoint/i/query-forum
Also simple string search of text files can be done using the Sophos Extension table ‘Grep’
SELECT * FROM GREP WHERE pattern = ‘YOUR SEARCH STRING’ and path = ‘YOUR FILE PATH’