After 12 years of exploitability, a collection of five vulnerabilities in Dell computer drivers, dubbed CVE-2021-215551, was revealed and resolved in May 2021. On the other hand, Dell’s update was insufficient to prevent further exploitation. As security researchers have warned, it is now a prime target for future “Bring Your Own Vulnerable Driver (BYOVD)” attacks.
Dell’s upgrade didn’t address the write-what-where problem, but it restricted administrative users’ access. According to Rapid7 analyst Jake Baines, Dell’s update fixed the security problem according to Microsoft’s concept of security boundaries. However, attackers can still benefit from the partially fixed driver.
“Bring Your Own Vulnerable Driver,” or BYOVD, is an attack method in which malicious actors install a genuine but vulnerable driver on a target machine. The target system’s vulnerable driver is then used to gain elevated privileges or execute code.
It’s a well-known strategy used in the wild for a long time. Despite Microsoft’s efforts to alleviate the problem by enforcing stronger Windows DSE (Driver Signature Enforcement) standards, the problem continues. Actors can load unregistered drivers onto the Windows kernel using at least four open-source vulnerabilities, one of which, KDU, provides over 14 driver choices. BYOVD is a perpetual danger based on this alone, even without accounting for specialized tools created by sophisticated actors and used secretly and exclusively.
BYOVD attacks can be facilitated by Dell’s ‘dbutil 2 3.sys’ driver, which is vulnerable to CVE-2021-21551, and as Rapid7 researchers advise, this applies to current driver versions. Since the write-what-where condition is still present in dbutildrv2.sys 2.5 and 2.7, attackers now have three signed driver choices for kernel code execution. Threat actors would already need administrator rights to exploit the vulnerability. Therefore, it may be pointless to be concerned about it. On the other hand, advanced threat actors can leverage this vulnerability to execute code in kernel mode, or ring 0, which is Windows’ maximum privilege level.
Threat actors with this degree of access may install UEFI rootkits, hide exploitation and rootkit artifacts, and run nearly any command in Windows. Advanced threat actors can eventually carry out cyberattacks that are very resistant to detection, allowing them to stay on devices for months, if not longer. The researchers created a Metasploit module that uses the latter (2.5 and 2.7) versions of the Dell driver to conduct an LSA protection-subversion attack.
Rapid7’s report explains that “an attacker with escalated privileges can use the module to enable or disable process protection on arbitrary PID.”
“The Dell drivers are especially valuable because they are compatible with the newest signing requirements issued by Microsoft.” To make matters worse, these later driver versions are unlikely to be stopped, meaning they will remain vulnerable to targeted, covert attacks. Threat actors are still confined to abusing dbutil_2_3.sys, according to Rapid7. Thus, versions 2.5 and 2.7 aren’t being misused yet. However, the experts believe it is just a matter of time until this happens. Therefore, more detection and mitigation measures are needed today.