cbcvebase.
CVE-2021-36276
published 2021-08-09

CVE-2021-36276: Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of…

PriorityP273high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.27%
18.4th percentile
Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.

Affected

3 ranges
VendorProductVersion rangeFixed in
delldbutil
delldbutildrv2.sys_firmware
delldbutildrv2.sys_firmware

Detection & IOCsextracted from sources · hover to see the quote

filenameDBUtilDrv2.sys
  • Monitor for installation events of the Dell DBUtilDrv2.sys driver (CVE-2021-36276) via Device Manager / INF file, as TCESB installs it using the BYOVD technique to modify kernel callback structures.
  • Detect loading of version.dll from non-system directories (e.g., temp or current working directory) within the ecls.exe (ESET Command-line scanner) process, indicative of DLL-proxying / T1574.
  • Alert on outbound GET requests to msdl.microsoft.com for PDB symbol downloads from non-developer/non-debugging hosts, as TCESB fetches ntoskrnl PDB files to resolve kernel structure offsets.
  • Monitor for extensionless payload files named 'kesp' or 'ecore' appearing in the current working directory of a suspicious process, as TCESB polls every two seconds for these AES-128 encrypted payload files.
  • ·DBUtilDrv2.sys versions 2.5 and 2.6 are the vulnerable versions exploited; version scoping is important to avoid false positives on patched/updated driver versions.
  • ·CVE-2021-36276 exploitation requires local authenticated user access; remote exploitation is not possible, so detections should be scoped to local privilege escalation scenarios.
  • ·TCESB falls back to downloading PDB files from Microsoft's symbol server only when its embedded CSV (matching EDRSandBlast as of August 13, 2022) does not contain offsets for the running kernel version; network detections on msdl.microsoft.com may not fire on all targets.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.