Attackers can get root by crashing Ubuntu’s AccountsService
Attackers can get root by crashing Ubuntu’s AccountsService
Police arrests ransomware affiliate behind high-profile attacks
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Google pushes emergency Chrome update to fix zero-day used in attacks
TinyNuke info-stealing malware is again attacking French users
Phishing campaign uses PowerPoint macros to drop Agent Tesla
Dell driver fix still allows Windows Kernel-level attacks
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
In May 2021, a set of five vulnerabilities in Dell computer drivers collectively tracked as CVE-2021-21551 was disclosed and fixed after it remained exploitable for 12 years.
However, Dell’s fix wasn’t comprehensive enough to prevent additional exploitation, and as security researchers warn now, it is an excellent candidate for future Bring Your Own Vulnerable Driver (BYOVD) attacks.
“We found that Dell’s update didn’t fix the write-what-where condition but only limited access to administrative users. According to Microsoft’s definition of security boundaries, Dell’s fix removed the security issue,” explains Rapid7 researcher Jake Baines.
“However, the partially fixed driver can still help attackers.”
BYOVD is the abbreviation for “Bring Your Own Vulnerable Driver,” an attack technique in which threat actors install a legitimate but vulnerable driver on a target machine.
This vulnerable driver is then exploited to elevate privileges or execute code on the target system.
It is a known technique that has been widely deployed in the wild for many years. Unfortunately, even though Microsoft has attempted to mitigate the issue with stricter Windows DSE (Driver Signature Enforcement) rules, the problem persists.
There are at least four open-source exploits enabling actors to load unsigned drivers onto the Windows kernel, and one of them, KDU, supports over 14 driver options.
Based on that alone, and without even accounting for custom tools authored by sophisticated actors and used privately and exclusively, it becomes clear that BYOVD is a permanent threat.
Dell’s ‘dbutil_2_3.sys’ driver, which is the driver that is vulnerable to CVE-2021-21551, can facilitate BYOVD attacks, and as Rapid7 researchers warn, this applies to recent driver versions too.
The write-what-where condition persists in dbutildrv2.sys 2.5 and 2.7, so attackers have a total of three signed driver candidates for kernel code execution.
To exploit the vulnerability, threat actors will already need administrator privileges, which may make it silly to be concerned about this vulnerability.
However, advanced threat actors can use this vulnerability to execute code in kernel mode, or ring 0, which is the highest privilege level possible in Windows.
With this level of access, threat actors can deploy UEFI rootkits, hide exploitation and rootkit artifacts, or perform almost any command they want in Windows. Ultimately, advanced threat actors can conduct attacks that are highly resistant to detection, allowing them to remain resident on devices for months, if not longer.
The researchers developed a Metasploit module that implements an LSA protection-subversion attack using the later (2.5 and 2.7) versions of the Dell driver, which is demonstrated in the video below.
“An attacker with escalated privileges can use the module to enable or disable process protection on arbitrary PID,” explains Rapid7’s report.
“The Dell drivers are especially valuable because they are compatible with the newest signing requirements issued by Microsoft.”
To add to the problem, these later driver versions are unlikely to get blocked and will remain available for targeted, stealthy exploitation.
According to Rapid7, threat actors are still limited to exploiting dbutil_2_3.sys, so versions 2.5 and 2.7 aren’t being abused yet.
However, the researchers believe this is only a matter of time now, so additional detection and mitigation efforts are required.
Rapid7 contacted Dell on the issue, and as the vulnerability already requires administrator privileges, the computer maker responded with the following statement:
“After careful consideration with the product team, we have categorized this issue as a weakness and not a vulnerability due to the privilege level required to carry out an attack. This is in alignment with the guidance provided in the Windows Driver Model. We are not planning on releasing a security advisory or issuing a CVE on this.”
However, as threat actors can still use the drivers to gain ring 0 access, Rapid7 advises admins to implement the following security measures to block malicious drivers from loading on their system:
Finally, consider submitting the vulnerable drivers to Microsoft to apply pressure for their inclusion in the blocklist.
AMD fixes dozens of Windows 10 graphics driver security bugs
Hackers start pushing malware in worldwide Log4Shell attacks
New Cerber ransomware targets Confluence and GitLab servers
Hackers use in-house Zoho ServiceDesk exploit to drop webshells
New Windows zero-day with public exploit lets you become an admin
Not a member yet? Register Now
Amazon explains the cause behind Tuesday’s massive AWS outage
Hackers start pushing malware in worldwide Log4Shell attacks
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Microsoft Edge now bashes Google Chrome when you download it

FBI: Cuba ransomware breached 49 US critical infrastructure orgsResearchers discover 14 new…

ALPHV BlackCat – This year's most sophisticated ransomware

New zero-day exploit for Log4j Java library is an enterprise nightmareALPHV BlackCat…

Sitecore XP RCE flaw patched last month now actively exploited

State hackers breach defense, energy, healthcare orgs worldwideMediaMarkt hit by Hive ransomware,…

Windows 10 21H2 is released, here are the new features

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…