Detect Privilege Escalation Vulnerabilities (CVE-2021-21551) in Dell BIOS Driver

May 06, 2021 · 3 min read

Dell computers worldwide are potentially vulnerable to attacks due to high-severity flaws introduced back in 2009. According to experts, a set of five issues tracked together as CVE-2021-21551 affects Dell DBUtil driver and allows adversaries to gain kernel-mode privileges on the affected machines. Although CVE-2021-21551 has been present in the driver for more than a decade, currently, there is no evidence of exploitation in the wild.

CVE-2021-21551 Description

The analysis from SentinelLabs reveals that vulnerability resides in the dbutil_2_3.sys module of the DBUtil, which comes pre-installed on the majority of Dell machines running Windows. The driver is responsible for firmware upgrades, being loaded to the device during the BIOS update process and then unloaded after system reboot.

A single CVE-2021-21551 covers five security holes affecting Dell’s driver. Two of them stem from lack of input validation, two derive from memory corruption glitches, and the last one occurs because of a login issue able to trigger denial-of-service. All bugs chained together result in a privilege escalation on the affected devices and allow non-admin actors to execute malware with kernel-mode rights. As a result, the malicious code receives unrestricted access to all hardware components on the instance.

Potential attack scenarios presume exploitation of the flaws to overcome security solutions. Also, a hacker inside the organizational network might use the bugs to reach local elevation of privileges and move laterally across the environment.

Although CVE-2021-21551 has been affecting Dell devices already for 12 years, currently, there are no confirmed facts of cyber-attacks in the wild.

Detection and Mitigation

Security issues were reported to the vendor in late 2020, and recently, Dell has released an advisory that provides mitigation steps to address the bugs. Users are urged to apply patches as soon as possible.

To detect possible exploitation attempts and protect your company infrastructure, you can download a community Sigma rule released by Florian Roth, SOC Prime’s advisor, the inventor of Sigma, and seasoned threat hunter:

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye

EDR: Carbon Black, Sentinel One


Tactics: Privilege Escalation,

Techniques: Exploitation for Privilege Escalation (T1068)

Get a free subscription to Threat Detection Marketplace, an industry-leading Detection as Code platform that provides detection, enrichment, integration, and automation algorithms to support security performers while translating big data, logs, and cloud telemetry into cybersecurity signals. You can stream curated SOC content directly to the SIEM, EDR, NSM, and SOAR tools of your choice, boosting threat detection capabilities. Want to craft your own detection content? Join our Threat Bounty Program and get rewarded for your input!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts