cbcvebase.
CVE-2021-21551
published 2021-05-04

CVE-2021-21551: Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information…

PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
57.47%
99.0th percentile
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.

Affected

2 ranges
VendorProductVersion rangeFixed in
delldbutil<= 2.3
delldbutil

Detection & IOCsextracted from sources · hover to see the quote

filenamedbutil_2_3.sys
pathC:\Windows\Temp\dbutil_2_3.sys
otherIOCTL 0x9B0C1EC8
otherIOCTL 0x9B0C1EC4
path\\.\DBUtil_2_3
commandDeviceIoControl(hDevice, EXPLOITABLE_RW_CONTROL_CODE, &privilege_present_params, sizeof(privilege_present_params), &privilege_present_params, sizeof(privilege_present_params), &bytesReturned, NULL)
other#define IOCTL_CODE 0x9B0C1EC8
  • Monitor for creation of the device object \Device\DBUtil_2_3 or symbolic link \\.\DBUtil_2_3, which indicates the vulnerable driver has been loaded and is accepting IOCTL requests from any process (SID S-1-1-0 / Everyone).
  • Alert on any non-privileged process issuing DeviceIoControl calls to \Device\DBUtil_2_3 with IOCTL code 0x9B0C1EC8 (arbitrary kernel read/write via memmove) or 0x9B0C1EC4 (read primitive).
  • Detect presence of dbutil_2_3.sys dropped in C:\Windows\Temp; this path is anomalous for a kernel driver and can be used as a BYOVD staging indicator.
  • Monitor for a new service creation event (e.g., via Process Hacker or ETW) associated with dbutil_2_3.sys, which is how the driver is transiently loaded during Dell firmware update utilities.
  • Detect exploitation attempts that overwrite _SEP_TOKEN_PRIVILEGES fields (Present/Enabled/EnabledByDefault at token+0x40/0x48/0x50) with 0xffffffffffffffff via the IOCTL write primitive.
  • Watch for exploitation chains that invoke ntdll!NtQueryIntervalProfile after writing shellcode into the driver's .data section, as this is used to redirect kernel execution flow during privilege escalation.
  • Flag use of KUSER_SHARED_DATA address 0xFFFFF78000000000 as a read anchor in kernel exploit chains targeting this driver, as it is used to establish the arbitrary read primitive.
  • ·The vulnerable driver (dbutil_2_3.sys version 2.3) accepts IOCTL requests from any process with no ACL restrictions (SID S-1-1-0 / Everyone), meaning exploitation requires only local authenticated (non-admin) access — no special privileges needed to open the device handle.
  • ·At time of publication the vulnerable driver's certificate had not been revoked, meaning it could still be used in BYOVD (Bring Your Own Vulnerable Driver) attacks even after patching.
  • ·No in-the-wild exploitation had been observed at time of disclosure; however, the driver has been present on hundreds of millions of Dell Windows devices since at least 2009.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.