CVE-2021-21551

Dell DBUtil, arbitrary kernel read/write via insufficient IOCTL access control

Summary

Field	Value
Driver	DBUtil_2_3.sys
Vendor	Dell
Vulnerability Class	Arbitrary R/W / IOCTL Access Control
Abused Version	2.3 (shipped with Dell BIOS update utilities)
Status	Blocklisted — included in Microsoft Vulnerable Driver Blocklist
Exploited ITW	Yes

The Story

Dell's BIOS update utilities (Dell Command Update, Dell Update, Alienware Update) all ship with DBUtil_2_3.sys, a kernel driver that provides hardware access for firmware flashing operations. The driver exposes five IOCTL codes covering virtual memory read/write, physical memory read/write via MmMapIoSpace, and MSR access. None of them validate the caller's privilege level, check address ranges, or restrict which memory regions can be accessed.

The device object (\Device\DBUtil) has a permissive security descriptor that allows any authenticated user to open a handle. The IOCTLs accept a user-supplied address and size, then perform the operation directly: RtlCopyMemory for virtual memory, MmMapIoSpace plus RtlCopyMemory for physical memory. This is not a bug but a design choice. Dell designed the driver to give its companion utility full hardware access, and the absence of any access control means any process on the system inherits that access.

Connor McGarr wrote the definitive analysis in a 5-part blog series that walks through the complete reverse engineering and exploitation process. The exploit fits in about 100 lines of C. Multiple ransomware groups have used this driver in production operations, leveraging the massive installed base of Dell systems where the driver was already present or easily deployable.

BYOVD Context

• Driver signing: Authenticode-signed by Dell with a valid certificate; accepted by Windows driver signature enforcement
• Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules since 2022
• HVCI behavior: Blocked on HVCI-enabled systems via the blocklist; without HVCI, loads normally
• KDU integration: Integrated as a KDU provider
• LOLDrivers: Listed at loldrivers.io with SHA256 hashes and detection rules

Affected IOCTLs

• 0x9B0C1EC4 — Arbitrary virtual memory read
• 0x9B0C1EC8 — Arbitrary virtual memory write
• 0x9B0C1ECC — Arbitrary physical memory read (via MmMapIoSpace)
• 0x9B0C1ED0 — Arbitrary physical memory write (via MmMapIoSpace)
• 0x9B0C1ED4 — MSR read/write

From BIOS Updater to SYSTEM in Six Steps

The exploitation requires no memory corruption, no race condition, and no heap layout manipulation. The attacker loads DBUtil_2_3.sys via sc.exe create / sc.exe start or drops it to disk and loads via NtLoadDriver. They open a handle to \\.\DBUtil, accessible to any authenticated user. The virtual memory read IOCTL locates the current process's EPROCESS structure, either via PsGetCurrentProcess or by scanning kernel memory. Walking the EPROCESS linked list reveals the SYSTEM process token. The virtual memory write IOCTL overwrites the current process's token with the SYSTEM token. The calling process now runs as SYSTEM.

The entire chain is deterministic. No information leak is needed because the read IOCTL provides it. No heap spray is needed because the write IOCTL is direct. The 100-line exploit is as reliable as any legitimate kernel API call.

Detection

YARA Rule

rule CVE_2021_21551_DBUtil {
    meta:
        description = "Detects Dell DBUtil_2_3.sys vulnerable driver"
        cve = "CVE-2021-21551"
        author = "KernelSight"
        severity = "critical"
    strings:
        $mz = { 4D 5A }
        $driver_name = "DBUtil" wide ascii nocase
        $device = "\\Device\\DBUtil" wide ascii
        $dell_cert = "Dell Inc" wide ascii
    condition:
        $mz at 0 and $driver_name and ($device or $dell_cert)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-Kernel-File	Driver load event	Detects loading of DBUtil_2_3.sys from non-standard paths (temp directories, user-writable locations)
Microsoft-Windows-Security-Auditing	Event 4697 — Service installed	Fires when the driver is registered as a kernel service via sc.exe or NtLoadDriver
Microsoft-Windows-Kernel-Process	Process token modification	Detects runtime token replacement after arbitrary R/W is achieved
Sysmon	Event ID 6 — Driver loaded	Captures driver image path, signature status, and hash for loaded kernel drivers

Behavioral Indicators

• Loading of DBUtil_2_3.sys from a temporary directory, Downloads folder, or user-writable path rather than from Dell's official installation directory
• Rapid sequence of DeviceIoControl calls to \\.\DBUtil performing read and write operations to kernel addresses
• Process privilege escalation from medium to SYSTEM integrity without going through standard elevation mechanisms (UAC, runas)
• Service creation for a kernel driver by a process that is not a Dell update utility

Broader Significance

CVE-2021-21551 demonstrates the scale of the BYOVD problem when a major OEM is involved. Dell ships this driver on hundreds of millions of systems. Even after the vulnerability was disclosed and a patch released, the signed vulnerable binary remains deployable on any system without blocklist enforcement. Connor McGarr's detailed blog series also made this one of the most well-understood BYOVD exploitation chains, serving as a reference implementation for the "direct kernel read/write" class of BYOVD attacks.

References

• AttackerKB
• Dell Security Advisory DSA-2021-088
• Connor McGarr — Exploit Development Series
• LOLDrivers — DBUtil