MSEndpointMgr
FacebookXRedditLinkedInEmail

Detect and remove Dell CVE-2021-21551 with Proactive Remediations

Maurice Daly
2021-05-05
10 comments
7 min read

Today we have yet another reason why you should be using Endpoint Analytics and Proactive Remediations, well at least if you are using Dell systems. The reason of course is the recently disclosed CVE impacting on Dell systems firmware upgrade packages, in particular the dbutil_2_3.sys file, which could be used by attackers to lead to a kernel-mode privileged attack on your systems.

The issue documented both on Dell’s own site (DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver | Dell UK) and Sentinel One’s site (CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due to Multiple BIOS Driver Privilege Escalation Flaws – SentinelLabs (sentinelone.com)) is of a high risk nature and therefore organisations around the globe need to detect and remove the threat as soon as possible.

Proactive Remdiations FTW (yes.. again..)

Proactive Remediations is a feature of Endpoint Analytics and if you haven’t already discovered this gem, then I suggestion you check out other posts on our site for more detail on the type of things we are doing with it. Basically it works on the basis of a detection and a remediation script, other than that you can “script your own destiny” (credit to @jordanb for that one liner).

Detection Script

Lets start off with the detection script. According to Option 2 in the remediation steps on Dell’s website, we simply need to do the following;

Option 2: Manually remove the vulnerable dbutil_2_3.sys driver:
Step A: Check the following locations for the dbutil_2_3.sys driver file
C:\Users\\AppData\Local\Temp
C:\Windows\Temp
Step B: Select the dbutil_2_3.sys file and hold down the SHIFT key while pressing the DELETE key to permanently delete.

This means we simply need to search the above locations with system rights to detect if the file is in place;

<#	
	.NOTES
	===========================================================================
	 Created with: 	SAPIEN Technologies, Inc., PowerShell Studio 2021 v5.8.188
	 Created on:   	05/05/2021 08:56
	 Created by:   	MauriceDaly
	 Organization: 	Cloudway
	 Filename:     	Detect-CVE202121551.ps1
	===========================================================================
	.DESCRIPTION
		Searches for dbutil_2_3.sys assoicated with Dell CVE-2021-21551
#>

$SystemFile = "dbutil_2_3.sys"
$UserProfileSearch = (Get-ChildItem -Path C:\Users -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
$TempSearch = (Get-ChildItem -Path C:\Windows\Temp -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
try {
	if ([boolean]$UserProfileSearch -eq $true -or [boolean]$TempSearch -eq $true) {
		Write-Output "Dell dbutil_2_3.sys file has been detected"; exit 1
	} else {
		Write-Output "Dell dbutil_2_3.sys file not present on system"; exit 0
	}
} catch {
	Write-Output "Issues occured while attempting to detect $SystemFile : $($_.Exception.Message)"; exit 1
}

The results of the searches will return paths if they are detected, hence using a boolean switch we can either flag that the files have or have not been detected. Using Configuration Manager and a script, we can quickly see how big the issue is (assuming you are not Intune native here..)

Now that we have identified we have machines with the issue, we need a remediation script to remove the offending system files.

Remediation Script

Once the machine has detected the issue, we need to remediate against it. So this is a simple matter of extending the script, and including the code to remove;

<#	
	.NOTES
	===========================================================================
	 Created with: 	SAPIEN Technologies, Inc., PowerShell Studio 2021 v5.8.188
	 Created on:   	05/05/2021 08:56
	 Created by:   	MauriceDaly
	 Organization: 	Cloudway
	 Filename:     	Remove-CVE202121551.ps1
	===========================================================================
	.DESCRIPTION
		Searches for and removes dbutil_2_3.sys assoicated with Dell CVE-2021-21551
#>

$SystemFile = "dbutil_2_3.sys"
$UserProfileSearch = (Get-ChildItem -Path C:\Users -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
$TempSearch = (Get-ChildItem -Path C:\Windows\Temp -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
try {
	if ([boolean]$UserProfileSearch -eq $true -or [boolean]$TempSearch -eq $true) {
		Write-Output "Dell dbutil_2_3.sys file has been detected"
		if (-not ([string]::IsNullOrEmpty($UserProfileSearch.FullName))) {
			foreach ($File in $UserProfileSearch.FullName) {
				Remove-Item -Path $File -Verbose
				Write-Output "Removed Dell $SystemFile from $File"
			}
		}
		if (-not ([string]::IsNullOrEmpty($TempSearch.FullName))) {
			foreach ($File in $TempSearch.FullName) {
				Remove-Item -Path $File -Verbose
				Write-Output "Removed Dell $SystemFile from $File"
			}
		}
		exit 0
	} else {
		Write-Output "Dell dbutil_2_3.sys file not present on system"; exit 0
	}
} catch {
	Write-Output "Issues occured while attempting to remediate : $($_.Exception.Message)"; exit 1
}

Now we have the scripts, we can put this into a proactive remediation package and let it clean up the issue in our environment.

Proactive Remediation

Simply follow the below process to create and deploy your PR;

  1. Log onto the Endpoint Manager portal (https://endpoint.microsoft.com)
  2. Click on Reports;

3. Click on Endpoint Analytics

4. Click on Proactive Remediations

5. Click on “Create Script Package”
6. Give your package a name;

7. Add the detection and remediation scripts;

8. Assign your script to either all devices or an Azure AD group, changing the schedule to suit (in this instance for quick reporting I have it set as hourly)

9. Review and create the package;

Results

Once your PR has been deployed for sufficient time, your clients will start reporting in their status. You should see something similar to the below;

Clicking on Device Status, we now can see the output by clicking on “Columns” and then selecting both the pre and post detection output options. With that selected, we can see those machines which have a “failed” state and have run both the detection and remediation steps;

Note – Update Dell Tools

To prevent reintroduction of a vulnerable dbutil driver, obtain and run a remediated firmware update utility package, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, or Dell Platform Tags as applicable.

Other Considerations

If you have packaged up your BIOS firmware update packages you also might want to consider checking these, and recreating, and running the latest BIOS firmware updates on your systems. Check out our Modern BIOS Management scripts for these (note these are for Configuration Manager at present).

Configuration Manager – Configuration Baseline

If you are not licensed for Endpoint Analytics or are a Configuration Manager native only environment, you can of course use a similar approach within a Configuration Baseline;

Detection Script

<#	
	.NOTES
	===========================================================================
	 Created with: 	SAPIEN Technologies, Inc., PowerShell Studio 2021 v5.8.188
	 Created on:   	05/05/2021 18:15
	 Created by:   	MauriceDaly
	 Organization: 	Cloudway
	 Filename:     	Detect-CVE202121551-CM.ps1
	===========================================================================
	.DESCRIPTION
		Searches for dbutil_2_3.sys assoicated with Dell CVE-2021-21551
#>

function DetectCVEIssue {
	$SystemFile = "dbutil_2_3.sys"
	$UserProfileSearch = (Get-ChildItem -Path C:\Users -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
	$TempSearch = (Get-ChildItem -Path C:\Windows\Temp -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
	if ([boolean]$UserProfileSearch -eq $true -or [boolean]$TempSearch -eq $true) {
		Return $True
	} else {
		Return $False
	}
}

DetectCVEIssue

Remediation Script

<#	
	.NOTES
	===========================================================================
	 Created with: 	SAPIEN Technologies, Inc., PowerShell Studio 2021 v5.8.188
	 Created on:   	05/05/2021 18:15
	 Created by:   	MauriceDaly
	 Organization: 	Cloudway
	 Filename:     	Remove-CVE202121551-CM.ps1
	===========================================================================
	.DESCRIPTION
		Searches for and removes dbutil_2_3.sys assoicated with Dell CVE-2021-21551
#>

function RemediateCVEIssue {
	$SystemFile = "dbutil_2_3.sys"
	$UserProfileSearch = (Get-ChildItem -Path C:\Users -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
	$TempSearch = (Get-ChildItem -Path C:\Windows\Temp -Filter $SystemFile -Recurse -ErrorAction SilentlyContinue)
	if ([boolean]$UserProfileSearch -eq $true -or [boolean]$TempSearch -eq $true) {
		Write-Output "Dell dbutil_2_3.sys file has been detected"
		if (-not ([string]::IsNullOrEmpty($UserProfileSearch.FullName))) {
			foreach ($File in $UserProfileSearch.FullName) {
				Remove-Item -Path $File -Verbose
				Write-Output "Removed Dell $SystemFile from $File"
			}
		}
		if (-not ([string]::IsNullOrEmpty($TempSearch.FullName))) {
			foreach ($File in $TempSearch.FullName) {
				Remove-Item -Path $File -Verbose
				Write-Output "Removed Dell $SystemFile from $File"
			}
		}
	} else {
		Write-Output "Dell dbutil_2_3.sys file not present on system"
	}
}

RemediateCVEIssue

Taking the two above scripts we would configure a Configuration Item first of all, with the settings defined as per the below screenshot;

The compliance rules should then be configured to remediate on a returned value of “False”;

Now simply add the Configuration Item to a new Configuration Baseline, deploy to a collection containing the Dell systems and let it do its thing. Once your machines start to check in, you should see the compliance values start to increase;

Conclusion

If you are Dell hardware house, then you need to get the ball moving on this ASAP. Thank you to my colleague Ben Whitmore for giving me the nudge on the issue first thing this morning.

Thanks for reading.

Views: 55,003

Maurice Daly

Maurice has been working in the IT industry for the past 20 years and currently working in the role of Senior Cloud Architect with CloudWay. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017. Most recently his focus has been on automation of deployment tasks, creating and sharing PowerShell scripts and other content to help others streamline their deployment processes.

View all posts

10 comments

You may also like

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.

ACCEPT MORE INFO