Additional Information Regarding DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver
Summary:This document provides additional Q&A in support of DSA-2021-088
Please select a product to check article relevancy
This article applies to This article does not apply toThis article is not tied to any specific product.Not all product versions are identified in this article.
A driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is first required before this vulnerability can be exploited.
Q: How do I know if I am impacted? A: You may be impacted if you:
have applied a BIOS, Thunderbolt, TPM, or dock firmware update to your system; or
currently or have previously used Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business)
Alternatively, if you manually run the utility as described in Step 2.2.2, Option A, of Dell Security Advisory DSA-2021-088, the utility will indicate if the impacted dbutil_2_3.sys driver was found and remediated on the system. To view a list of the platforms with impacted firmware update utility packages and software tools, or to learn more about this vulnerability and how to mitigate it, see Dell Security Advisory DSA-2021-088.
Q: I am using a Linux operating system. Does this issue impact me? A: No, this vulnerability is only applicable when running Windows operating systems on an impacted Dell platform.
Q: What is the solution? How do I remediate this vulnerability? A: All customers should execute the steps defined in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-088.
Q: Why are there multiple steps in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-088 A: Steps 2.1 and 2.2 are to immediately remediate this vulnerability. Step 2.3 is focused on informing you of how to obtain a remediated driver (DBUtilDrv2.sys) during your next scheduled firmware update. For each step, Dell is offering different options, and you should choose the option that best matches your circumstances.
Q: I have never updated my firmware, used Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business); and I only get BIOS updates through Windows Updates. Am I affected? A: No, Windows Updates does not install the affected dbutil_2_3.sys driver.
Q: I have Windows 7 or 8.1. Is there a solution for me? A: Yes, all Windows 7 and 8.1 customers should execute the steps defined in section “2. Remediation Steps” of the Dell Security Advisory DSA-2021-088.
Q: I am unsure if I am impacted. Is there something I can do to make sure my computer is not vulnerable? A: Yes, you should execute the steps defined in sections 2.2 and 2.3 of Dell Security Advisory DSA-2021-088. Performing these steps will not negatively affect your system regardless of prior impact.
Q: Will you be pushing the “Dell Security Advisory Update – DSA-2021-088” utility via Dell Command Update, Dell Update, Alienware Update, or SupportAssist? A: Yes. Refer to section 2.2.2 of Dell Security Advisory DSA-2021-088. However, customers should execute all steps defined in section “2. Remediation Steps”, as applicable to your environment.
Q: I ran the “Dell Security Advisory Update – DSA-2021-088” utility on my system to remove the dbutil_2_3.sys driver, and after rebooting the system, I still see the dbutil_2_3.sys driver. Why is that? A: If:
You did not update all of the impacted products listed in Step 2.2.1 of the “Remediation” section before removing the dbutil_2_3.sys driver, or
You run an impacted firmware update utility after removing the driver,
the dbutil_2_3.sys driver may be reintroduced onto your system.
To avoid or remedy these conditions: first ensure that you update all of the impacted products listed in Step 2.2.1 (as applicable) of Dell Security Advisory DSA-2021-088, then execute Step 2.2.2 (even if you have previously removed the dbutil_2_3.sys driver).
Q: After applying one of the options in Step 2.2.2 of Dell Security Advisory DSA-2021-088, I am unable to remove the dbutil_2_3.sys driver, what should I do? A: If:
You did not update all of the impacted products listed in Step 2.2.1 of the “Remediation” section before removing the dbutil_2_3.sys driver, or
You ran an impacted firmware update utility after removing the driver,
the dbutil_2_3.sys driver may be in use and locked by the operating system, preventing it from deletion.
To remedy this condition: first ensure that you update all of the impacted products listed in Step 2.2.1 (as applicable) of Dell Security Advisory DSA-2021-088, then execute Step 2.2.2 (even if you have previously removed the dbutil_2_3.sys driver).
Q: Will running the “Dell Security Advisory Update – DSA-2021-088” utility or performing the manual removal steps remove the remediated version of the driver from my system? A: No, the remediated driver has a new file name, DBUtilDrv2.sys, to distinguish it from the vulnerable dbutil_2_3.sys driver and will not be affected.
Q: Will running the “Dell Security Advisory Update – DSA-2021-088” utility install a remediated driver? A: No. The remediated version of the driver will be installed on your system the next time you apply a remediated BIOS, Thunderbolt, TPM, or dock firmware update to your system; or run a remediated version of Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).
Q: How will I get the remediated version of the driver? A: The remediated version of the driver (DBUtilDrv2.sys) will be installed on your system the next time you apply a remediated BIOS, Thunderbolt, TPM, or dock firmware update to your system; or run a remediated version of Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).
Q: Can I manually remove the dbutil_2_3.sys driver? A: Yes, follow Step 2.2.1 (as applicable) and Step 2.2.2, Option C of Dell Security Advisory DSA-2021-088.
Q: If I manually want to remove the dbutil_2_3.sys driver, how do I know I am removing the right file? A: Use the following SHA-256 checksum values to confirm that you are removing the correct file:
dbutil_2_3.sys (as used on a 64-bit version of Windows): 0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5
dbutil_2_3.sys (as used on a 32-bit version of Windows): 87E38E7AEAAAA96EFE1A74F59FCA8371DE93544B7AF22862EB0E574CEC49C7C3
Q: Would removing the dbutil_2_3.sys driver cause interoperability issues with other hardware or software? A: No, the dbutil_2_3.sys driver is a utility driver that is used in firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business) to update drivers, BIOS, and firmware for your PC. It is not used by other hardware or software.
Q: I am an enterprise customer, what should I do? A: Execute the remediation steps listed in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-088. We understand that there are different infrastructure configurations and scenarios with varying levels of complexity. If you have any questions or need assistance, reach out to contact your Dell Account and/or Service Representative.
The following steps illustrate one way that an enterprise customer might deploy the Dell Security Advisory Update – DSA-2021-088 utility across their environment to complete Step 2.2.2 to remove the dbutil_2_3.sys driver from multiple systems.
Perform the following pre-deployment check.
Update affected products deployed in your enterprise. See the “2. Remediation Steps” section of the Dell Security Advisory DSA-2021-088 to update Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).
Note: This pre-deployment step prevents instances of the dbutil_2_3.sys file being locked during the operation of the Dell Security Advisory Update – DSA-2021-088 utility or subsequently being reintroduced after the utility has ran.
Follow the steps below to remove the dbutil_2_3.sys driver from your environment using Microsoft Endpoint Configuration Manager (MECM) Configuration Item (CI).
Setup the CI to execute a PowerShell script.
Factors such as disk size/utilization, type of disk, could cause scanning the entire disk drive to result in timeouts or errors. At a minimum, the following directories where the files are typically stored, should be scanned. If choosing to go down this route, update the relevant variables, for example, “%windir%\temp” and “%localappdata%\temp”.
In the PowerShell script, provide the SHA-256 checksum values to verify the file being deleted, "0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5" and "87E38E7AEAAAA96EFE1A74F59FCA8371DE93544B7AF22862EB0E574CEC49C7C3".
After creating the CI with the PowerShell script, a Configuration Baseline is created and deployed to “All Systems” collection. Depending on your MECM configuration, you might have to separate the deployment according to considerations like different computer chassis, models, etc.
Setup “collections” to log successful completion. For example, you might create a “Compliant” collection for systems where no error code was returned or file was not detected, and “Non-Compliant” collection for systems where an error code was returned.
After running the CI, review the Non-Compliant collection. You might find the following instances:
Systems that have older version of affected products referenced above
Systems requiring a reboot
Systems where CI failed to execute due to timeout
Choose the “Required” (vs “Available) deployment method to make this mandatory.
A reboot is required to complete the install. This does not include installs where the ForceReboot action is run. This error code not available on Windows Installer version 1.0.
ERROR_SUCCESS_REBOOT_REQUIRED
Q: How is the impacted Dell BIOS Flash Utility different from the impacted Dell BIOS update utilities? A: The Dell BIOS update utilities contain a specific BIOS update for a platform and also apply the update to the platform. The Dell BIOS Flash Utility is used by enterprises only to apply BIOS updates, but it does not carry a specific BIOS update. See the BIOS Installation Utility knowledge base article for more information.
Q: I am using a supported platform and I plan to update a driver, BIOS, or firmware on my system. However, either there is not yet an updated package that contains a remediated dbutil driver for my platform and Operating System combination, or I need to apply an unremediated package. What should I do? A: After you update your BIOS, Thunderbolt firmware, TPM firmware or dock firmware using a vulnerable firmware update package, you must then execute Step 2.2 of Dell Security Advisory DSA-2021-088 immediately following the update in order to remove the dbutil_2_3.sys driver from your system. This action must occur even if you have previously performed this step.
Q: I am using an end of service life platform and plan to update a driver, BIOS, or firmware on my system; however, there is not an updated package that contains a remediated dbutil driver. What should I do? A: After you update your BIOS, Thunderbolt firmware, TPM firmware or dock firmware using a vulnerable firmware update package, you must then execute Step 2.2 of Dell Security Advisory DSA-2021-088 immediately following the update in order to remove the dbutil_2_3.sys driver from your system. This action must occur even if you have previously performed this step.
Q: Is there another way to update BIOS without exposing myself to the vulnerable dbutil_2_3.sys driver? A: Yes, BIOS updates can be initiated using the F12 One Time Boot menu. Most Dell computers manufactured after 2012 have this function, and you can confirm by booting the computer to the F12 One Time Boot Menu. If you see “BIOS FLASH UPDATE” listed as a boot option, then the Dell computer supports this method of updating the BIOS using the One Time Boot Menu. Detailed steps are outlined in this support document: Flashing the BIOS from the F12 One-Time Boot Menu.
Q: Is Dell aware of this vulnerability being exploited? A: We are not aware of this vulnerability having been exploited by malicious actors to date, although we are aware that exploit code is now available.
Q: Could a malicious actor exploit this vulnerability? A: A malicious actor would first need to be granted access to your PC, for example through phishing, malware or by you granting remote access. To help protect yourself from malicious actors, never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue.
We are not aware of this vulnerability having been exploited by malicious actors to date, although we are aware that exploit code is now available.
Q: Is my system always at risk when a vulnerable dbutil_2_3.sys driver is on the system? A: No, first the dbutil_2_3.sys driver must be loaded into memory when an administrator runs one of the impacted firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business). Once the dbutil_2_3.sys driver is unloaded from memory after reboot or removed from your computer, the vulnerability is no longer a concern.
Q: Is this vulnerability remotely exploitable? A: No, the vulnerability cannot be exploited remotely. A malicious actor must first obtain (local) authenticated access to your device.
Q: Is this dbutil_2_3.sys driver pre-loaded on my system? A: No, Dell computers do not ship with the dbutil_2_3.sys driver pre-installed, nor does the Dell Command Update, Dell Update, Alienware Update or Dell SupportAssist for PCs (Home and Business) pre-load the dbutil_2_3.sys driver. The dbutil_2_3.sys driver is installed and loaded on-demand by initiating the firmware update process and then unloaded after a system reboot.
Note: Once the vulnerable dbutil_2_3.sys driver file is installed; it remains on the system even once the driver is unloaded.
Q: Has Dell remediated this for all new PCs shipping from the factory? A: Yes, except for systems shipping with Dell Command Update, Dell Update, Alienware Update or Dell SupportAssist for PCs (Home and Business). Those systems will be automatically updated at first run of the Dell Command Update, Dell Update, Alienware Update and Dell SupportAssist for PCs (Home and Business). See the Step 2 in the “Remediation” section of the Dell Security Advisory DSA-2021-088 for details.
Q: Is this a Dell-only vulnerability? A: Yes, this specific vulnerability affects the Dell-specific driver (dbutil_2_3.sys)
Q: Has the data on my Dell PC been compromised due to the reported vulnerability? A: No. To have been impacted by this vulnerability, a malicious actor would need to have been granted access to your computer, for example through phishing, malware or by remote access to someone who requested it.
We are not aware of this vulnerability having been exploited by malicious actors to date, although we are aware that exploit code is now available.
As a reminder to help protect yourself from bad actors:
Never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue if you did not contact Dell first for service or support.
Dell will not contact customers unexpectedly by phone to request PC access in relation to this reported vulnerability.
If you have not contacted Dell for service or support, do NOT provide access to your PC, or provide any personal data to the unsolicited caller. If you are not sure about a call you receive, hang up and immediately contact Dell Support.
Q: What else can I do to help protect my data? A: As with any device use, always be vigilant and use these top tips to help protect your data:
Be cautious when clicking on links or attachments in emails you were not expecting, or that may try to trick you into opening them by indicating there is a problem with any of your accounts, orders, or other transactions, and further tricking you into clicking a link provided to help you fix the issue. This may be a malicious actor attempting to gain access to your device.
Never give remote control to your computer to any unsolicited caller to fix an issue, even if they represent themselves as calling from Dell, or for another service provider on Dell’s behalf. If you did not contact Dell first to request a call, Dell will not make unexpected calls to you to request remote access.
Never give your financial information to any unsolicited contacts who try to charge you to fix your computer.
Never pay for Dell or any other technical support services with any type of gift card or by wiring funds. Dell will never ask you for these forms of payments.
Legal Disclaimer
Affected Products
Dell Dock WD15, Dell Thunderbolt Dock TB16, Dell Precision Dual USB-C Thunderbolt Dock - TB18DC, Dell Dock WD19, Dell Performance Dock - WD19DC, Dell Performance Dock – WD19DCS, Dell Dock – WD19S, Dell Thunderbolt Dock - WD19TB
, Dell Thunderbolt Dock – WD19TBS, Dell Embedded Box PC 5000, Dell G3 3579, Dell G5 15 5500, Dell G15 5510, Dell G5 15 5587, Dell G5 15 5590, Dell G7 15 7500, Dell G7 15 7588, Dell G7 15 7590, Dell G3 3779, Dell G7 17 7700, Dell G7 17 7790, Dell G5 5000, Dell G5 5090, Inspiron 5300, Inspiron 5301, Inspiron 5390, Inspiron 7300 2-in-1, Inspiron 7300, Inspiron 7306 2-in-1, Inspiron 7380, Inspiron 7386 2-in-1, Inspiron 3480, Inspiron 3481, Inspiron 3490, Inspiron 3493, Inspiron 5400 2-in-1, Inspiron 5401/5408, Inspiron 5402/5409, Inspiron 5406 2-in-1, Inspiron 14 5468, Inspiron 5480, Inspiron 5481 2-in-1, Inspiron 5490, Inspiron 5491 2-in-1, Inspiron 5493, Inspiron 5494, Inspiron 5498, Inspiron 7400, Inspiron 14 7460, Inspiron 14 Gaming 7466, Inspiron 14 Gaming 7467, Inspiron 7472, Inspiron 7490, Inspiron 3580, Inspiron 3581, Inspiron 3583, Inspiron 3584, Inspiron 3590, Inspiron 3593, Inspiron 5501/5508, Inspiron 5502/5509, Inspiron 15 5566, Inspiron 15 5567, Inspiron 5570, Inspiron 5580, Inspiron 15 5582 2-in-1, Inspiron 15 5583, Inspiron 15 5584, Inspiron 5590, Inspiron 5591 2-in-1, Inspiron 5593, Inspiron 5594, Inspiron 5598, Inspiron 7500 2-in-1 Black, Inspiron 7500 2-in-1 Silver, Inspiron 7500, Inspiron 7501, Inspiron 7506 2-in-1, Inspiron 15 7560, Inspiron 15 Gaming 7566, Inspiron 15 Gaming 7567, Inspiron 15 7572, Inspiron 15 Gaming 7577, Inspiron 7580, Inspiron 7586 2-in-1, Inspiron 7590 2-in-1, Inspiron 7590, Inspiron 7591 2-in-1, Inspiron 7591, Inspiron 3780, Inspiron 3781, Inspiron 3793, Inspiron 17 5767, Inspiron 7706 2-in-1, Inspiron 7786 2-in-1, Inspiron 5400 AIO, Inspiron 5401 AIO, Inspiron 5490 AIO, Inspiron 7700 AIO, Inspiron 7790 AIO, Inspiron 3268, Inspiron 3470, Inspiron 3471, Inspiron 3668, Inspiron 3670, Latitude 3120, Latitude 3180, Latitude 3189, Latitude 3190 2-in-1, Latitude 5285 2-in-1, Latitude 5289 2-in-1, Latitude 5290 2-in-1, Latitude 5290, Latitude 7200 2-in-1, Latitude 7210 2-in-1, Latitude 7212 Rugged Extreme Tablet, Latitude 7214 Rugged Extreme, Latitude 7220EX Rugged Extreme Tablet, Latitude 7220 Rugged Extreme Tablet, Latitude 7280, Latitude 7285 2-in-1, Latitude 3300, Latitude 3301, Latitude 3310 2-in-1, Latitude 3310, Latitude 3390 2-in-1, Latitude 5300 2-in-1, Latitude 5300, Latitude 5310 2-in-1, Latitude 5310, Latitude 7300, Latitude 7310, Latitude 7320, Latitude 7370, Latitude 7380, Latitude 7389 2-in-1, Latitude 7390 2-in-1, Latitude 7390, Latitude 3400, Latitude 3410, Latitude 3490, Latitude 5400, Latitude 5401, Latitude 5410, Latitude 5411, Latitude 5414 Rugged, Latitude 5420 Rugged, Latitude 5424 Rugged, Latitude 5490, Latitude 5491, Latitude 5495, Latitude 7400 2-in-1, Latitude 7400, Latitude 7410, Latitude 7414 Rugged, Latitude 7420, Latitude 7424 Rugged Extreme, Latitude 7480, Latitude 7490, Latitude 9410, Latitude 3500, Latitude 3510, Latitude 3590, Latitude 5500, Latitude 5501, Latitude 5510, Latitude 5511, Latitude 5580, Latitude 5590, Latitude 5591, Latitude 7520, Latitude 9510, Latitude 3470, Latitude 3570, Latitude 5175 2-in-1, Latitude 5179 2-in-1, Latitude 5420, Latitude E5270, Latitude E5470, Latitude E5570, Latitude E7470, OptiPlex 3040 Tower, OptiPlex 3046 Tower, OptiPlex 3050 All-In-One, OptiPlex 3050 Tower, OptiPlex 3060 Tower, OptiPlex 3070 Tower, OptiPlex 3080 Tower, OptiPlex 3090 Ultra, OptiPlex 3240 All-in-One, OptiPlex 3280 All-In-One, OptiPlex 5040 Tower, OptiPlex 5050 Tower, OptiPlex 5055 Tower, OptiPlex 5055 Ryzen APU Tower, OptiPlex 5055 Ryzen CPU Tower, OptiPlex 5060 Tower, OptiPlex 5070 Tower, OptiPlex 5080 Tower, OptiPlex 5250 All-In-One, OptiPlex 5260 All-In-One, OptiPlex 5270 All-In-One, OptiPlex 5480 All-In-One, OptiPlex 7040 Tower, OptiPlex 7050 Tower, OptiPlex 7060 Tower, OptiPlex 7070 Tower, OptiPlex 7070 Ultra, OptiPlex 7071 Tower, OptiPlex 7080 Tower, OptiPlex 7090 Ultra, OptiPlex 7440 All-In-One, OptiPlex 7450 All-In-One, OptiPlex 7460 All-In-One, OptiPlex 7470 All-In-One, OptiPlex 7480 All-In-One, OptiPlex 7760 All-In-One, OptiPlex 7770 All-In-One, OptiPlex 7780 All-In-One, Optiplex XE3, Precision 3930 XL Rack, Precision 3430 XL Small Form Factor, Precision 3520, Precision 3530, Precision 3540, Precision 3541, Precision 3550, Precision 3551, Precision 3560, Precision 5520, Precision 5530 2 in 1, Precision 5530, Precision 5540, Precision 5550, Precision 7520, Precision 7530, Precision 7540, Precision 7550, Precision 5750, Precision 7730, Precision 7740, Precision 7750, Precision 3430 Small Form Factor, Precision 3440 Small Form Factor, Precision 3930 Rack, Precision 5720 AIO, Precision 5820 Tower, Precision 7820 Tower, Precision 7920 Tower, Precision 7920 Rack, Precision 3510, Precision 5510, Product Security Information, Vostro 5300, Vostro 5301, Vostro 5370, Vostro 3400, Vostro 3401, Vostro 3480, Vostro 3481, Vostro 3490, Vostro 3491, Vostro 5402, Vostro 14 5468, Vostro 5471, Vostro 5481, Vostro 5490, Vostro 3500, Vostro 3501, Vostro 3580, Vostro 3581, Vostro 3583, Vostro 3590, Vostro 3591, Vostro 5501, Vostro 5581, Vostro 5590, Vostro 7500, Vostro 7590, Vostro 3070, Vostro 3267, Vostro 3268, Vostro 3470, Vostro 3471, Vostro 3660, Vostro 3667, Vostro 3670, Vostro 3671, Vostro 3681, Vostro 3690, Vostro 3881, Vostro 3888, Vostro 3890, Vostro 5090, Vostro 5880, Vostro 5890, Latitude E7270 mobile thin client, Latitude 3480 mobile thin client, Latitude 5280 mobile thin client, Wyse 5470 All-In-One, Wyse 5470, Wyse 7040 Thin Client, XPS 12 9250, XPS 13 7390 2-in-1, XPS 13 7390, XPS 13 9300, XPS 13 9305, XPS 13 9310 2-in-1, XPS 13 9310, XPS 13 9360, XPS 13 9365 2-in-1, XPS 13 9370, XPS 13 9380, XPS 15 7590, XPS 15 9500, XPS 15 9560, XPS 15 9570, XPS 15 9575 2-in-1, XPS 17 9700, XPS 27 7760, XPS 8900, XPS 8940
...
Article Properties
Article Number: 000186020
Article Type: Security KB
Last Modified: 26 May 2021
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.
Article Properties
Article Number: 000186020
Article Type: Security KB
Last Modified: 26 May 2021
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.