Additional Information Regarding DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver

Frequently Asked Questions:

Q: How do I know if I am impacted?
A: You may be impacted if you:

• have applied a BIOS, Thunderbolt, TPM, or dock firmware update to your system; or
• currently or have previously used Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business)

Alternatively, if you manually run the utility as described in Step 2.2.2, Option A, of Dell Security Advisory DSA-2021-088, the utility will indicate if the impacted dbutil_2_3.sys driver was found and remediated on the system. To view a list of the platforms with impacted firmware update utility packages and software tools, or to learn more about this vulnerability and how to mitigate it, see Dell Security Advisory DSA-2021-088.

Q: I am using a Linux operating system. Does this issue impact me?
A: No, this vulnerability is only applicable when running Windows operating systems on an impacted Dell platform.

Q: What is the solution? How do I remediate this vulnerability?
A: All customers should execute the steps defined in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-088.

Q: Why are there multiple steps in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-088
A: Steps 2.1 and 2.2 are to immediately remediate this vulnerability. Step 2.3 is focused on informing you of how to obtain a remediated driver (DBUtilDrv2.sys) during your next scheduled firmware update. For each step, Dell is offering different options, and you should choose the option that best matches your circumstances.

Q: I have never updated my firmware, used Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business); and I only get BIOS updates through Windows Updates. Am I affected?
A: No, Windows Updates does not install the affected dbutil_2_3.sys driver.

Q: I have Windows 7 or 8.1. Is there a solution for me?
A: Yes, all Windows 7 and 8.1 customers should execute the steps defined in section “2. Remediation Steps” of the Dell Security Advisory DSA-2021-088.

Q: I am unsure if I am impacted. Is there something I can do to make sure my computer is not vulnerable?
A: Yes, you should execute the steps defined in sections 2.2 and 2.3 of Dell Security Advisory DSA-2021-088. Performing these steps will not negatively affect your system regardless of prior impact.

Q: Will you be pushing the “Dell Security Advisory Update – DSA-2021-088” utility via Dell Command Update, Dell Update, Alienware Update, or SupportAssist?
A: Yes. Refer to section 2.2.2 of Dell Security Advisory DSA-2021-088. However, customers should execute all steps defined in section “2. Remediation Steps”, as applicable to your environment.

Q: I ran the “Dell Security Advisory Update – DSA-2021-088” utility on my system to remove the dbutil_2_3.sys driver, and after rebooting the system, I still see the dbutil_2_3.sys driver. Why is that?
A: If:

1. You did not update all of the impacted products listed in Step 2.2.1 of the “Remediation” section before removing the dbutil_2_3.sys driver, or
2. You run an impacted firmware update utility after removing the driver,

the dbutil_2_3.sys driver may be reintroduced onto your system.
To avoid or remedy these conditions: first ensure that you update all of the impacted products listed in Step 2.2.1 (as applicable) of Dell Security Advisory DSA-2021-088, then execute Step 2.2.2 (even if you have previously removed the dbutil_2_3.sys driver).

Q: After applying one of the options in Step 2.2.2 of Dell Security Advisory DSA-2021-088, I am unable to remove the dbutil_2_3.sys driver, what should I do?
A: If:

1. You did not update all of the impacted products listed in Step 2.2.1 of the “Remediation” section before removing the dbutil_2_3.sys driver, or
2. You ran an impacted firmware update utility after removing the driver,

the dbutil_2_3.sys driver may be in use and locked by the operating system, preventing it from deletion.
To remedy this condition: first ensure that you update all of the impacted products listed in Step 2.2.1 (as applicable) of Dell Security Advisory DSA-2021-088, then execute Step 2.2.2 (even if you have previously removed the dbutil_2_3.sys driver).

Q: Will running the “Dell Security Advisory Update – DSA-2021-088” utility or performing the manual removal steps remove the remediated version of the driver from my system?
A: No, the remediated driver has a new file name, DBUtilDrv2.sys, to distinguish it from the vulnerable dbutil_2_3.sys driver and will not be affected.

Q: Will running the “Dell Security Advisory Update – DSA-2021-088” utility install a remediated driver?
A: No. The remediated version of the driver will be installed on your system the next time you apply a remediated BIOS, Thunderbolt, TPM, or dock firmware update to your system; or run a remediated version of Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).

Q: How will I get the remediated version of the driver?
A: The remediated version of the driver (DBUtilDrv2.sys) will be installed on your system the next time you apply a remediated BIOS, Thunderbolt, TPM, or dock firmware update to your system; or run a remediated version of Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).

Q: Can I manually remove the dbutil_2_3.sys driver?
A: Yes, follow Step 2.2.1 (as applicable) and Step 2.2.2, Option C of Dell Security Advisory DSA-2021-088.

Q: If I manually want to remove the dbutil_2_3.sys driver, how do I know I am removing the right file?
A: Use the following SHA-256 checksum values to confirm that you are removing the correct file:

• dbutil_2_3.sys (as used on a 64-bit version of Windows): 0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5
• dbutil_2_3.sys (as used on a 32-bit version of Windows): 87E38E7AEAAAA96EFE1A74F59FCA8371DE93544B7AF22862EB0E574CEC49C7C3

Q: Would removing the dbutil_2_3.sys driver cause interoperability issues with other hardware or software?
A: No, the dbutil_2_3.sys driver is a utility driver that is used in firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business) to update drivers, BIOS, and firmware for your PC. It is not used by other hardware or software.
  
Q: I am an enterprise customer, what should I do?
A: Execute the remediation steps listed in  section “2. Remediation Steps” of Dell Security Advisory DSA-2021-088. We understand that there are different infrastructure configurations and scenarios with varying levels of complexity. If you have any questions or need assistance, reach out to contact your Dell Account and/or Service Representative.

The following steps illustrate one way that an enterprise customer might deploy the Dell Security Advisory Update – DSA-2021-088 utility across their environment to complete Step 2.2.2 to remove the dbutil_2_3.sys driver from multiple systems.

1. Perform the following pre-deployment check.

• Update affected products deployed in your enterprise. See the “2. Remediation Steps” section of the Dell Security Advisory DSA-2021-088 to update Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).

2. Follow the steps below to remove the dbutil_2_3.sys driver from your environment using Microsoft Endpoint Configuration Manager (MECM) Configuration Item (CI).

• Setup the CI to execute a PowerShell script.
  • Factors such as disk size/utilization, type of disk, could cause scanning the entire disk drive to result in timeouts or errors. At a minimum, the following directories where the files are typically stored, should be scanned. If choosing to go down this route, update the relevant variables, for example, “%windir%\temp” and “%localappdata%\temp”.
  • In the PowerShell script, provide the SHA-256 checksum values to verify the file being deleted, "0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5" and  "87E38E7AEAAAA96EFE1A74F59FCA8371DE93544B7AF22862EB0E574CEC49C7C3".

• After creating the CI with the PowerShell script, a Configuration Baseline is created and deployed to “All Systems” collection. Depending on your MECM configuration, you might have to separate the deployment according to considerations like different computer chassis, models, etc.
• Setup “collections” to log successful completion. For example, you might create a “Compliant” collection for systems where no error code was returned or file was not detected, and “Non-Compliant” collection for systems where an error code was returned.
• After running the CI, review the Non-Compliant collection. You might find the following instances:
  • Systems that have older version of affected products referenced above
  • Systems requiring a reboot
  • Systems where CI failed to execute due to timeout
• Choose the “Required” (vs “Available) deployment method to make this mandatory.
  • The Dell Security Advisory Update – DSA-2021-088 utility provides exit codes that may be used by MEC

MSI Exit Code	Description	Error Code
0	Action completed successfully.	ERROR_SUCCESS
1603	Fatal error during installation.	ERROR_INSTALL_FAILURE
3010	A reboot is required to complete the install. This does not include installs where the ForceReboot action is run. This error code not available on Windows Installer version 1.0.	ERROR_SUCCESS_REBOOT_REQUIRED

Q: How is the impacted Dell BIOS Flash Utility different from the impacted Dell BIOS update utilities?
A: The Dell BIOS update utilities contain a specific BIOS update for a platform and also apply the update to the platform. The Dell BIOS Flash Utility is used by enterprises only to apply BIOS updates, but it does not carry a specific BIOS update. See the BIOS Installation Utility knowledge base article for more information.

Q: I am using a supported platform and I plan to update a driver, BIOS, or firmware on my system. However, either there is not yet an updated package that contains a remediated dbutil driver for my platform and Operating System combination, or I need to apply an unremediated package. What should I do?
A: After you update your BIOS, Thunderbolt firmware, TPM firmware or dock firmware using a vulnerable firmware update package, you must then execute Step 2.2  of Dell Security Advisory DSA-2021-088 immediately following the update in order to remove the dbutil_2_3.sys driver from your system. This action must occur even if you have previously performed this step.

Q: I am using an end of service life platform and plan to update a driver, BIOS, or firmware on my system; however, there is not an updated package that contains a remediated dbutil driver. What should I do?
A: After you update your BIOS, Thunderbolt firmware, TPM firmware or dock firmware using a vulnerable firmware update package, you must then execute Step 2.2 of Dell Security Advisory DSA-2021-088 immediately following the update in order to remove the dbutil_2_3.sys driver from your system. This action must occur even if you have previously performed this step.

Q: Is there another way to update BIOS without exposing myself to the vulnerable dbutil_2_3.sys driver?
A: Yes, BIOS updates can be initiated using the F12 One Time Boot menu. Most Dell computers manufactured after 2012 have this function, and you can confirm by booting the computer to the F12 One Time Boot Menu. If you see “BIOS FLASH UPDATE” listed as a boot option, then the Dell computer supports this method of updating the BIOS using the One Time Boot Menu. Detailed steps are outlined in this support document: Flashing the BIOS from the F12 One-Time Boot Menu.
  
Q: Is Dell aware of this vulnerability being exploited?
A: We are not aware of this vulnerability having been exploited by malicious actors to date, although we are aware that exploit code is now available.

Q: Could a malicious actor exploit this vulnerability?
A: A malicious actor would first need to be granted access to your PC, for example through phishing, malware or by you granting remote access. To help protect yourself from malicious actors, never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue.
We are not aware of this vulnerability having been exploited by malicious actors to date, although we are aware that exploit code is now available.

Q: Is my system always at risk when a vulnerable dbutil_2_3.sys driver is on the system?
A: No, first the dbutil_2_3.sys driver must be loaded into memory when an administrator runs one of the impacted firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business). Once the dbutil_2_3.sys driver is unloaded from memory after reboot or removed from your computer, the vulnerability is no longer a concern.

Q: Is this vulnerability remotely exploitable?
A: No, the vulnerability cannot be exploited remotely. A malicious actor must first obtain (local) authenticated access to your device.

Q: Is this dbutil_2_3.sys driver pre-loaded on my system?
A: No, Dell computers do not ship with the dbutil_2_3.sys driver pre-installed, nor does the Dell Command Update, Dell Update, Alienware Update or Dell SupportAssist for PCs (Home and Business) pre-load the dbutil_2_3.sys driver. The dbutil_2_3.sys driver is installed and loaded on-demand by initiating the firmware update process and then unloaded after a system reboot.
Note: Once the vulnerable dbutil_2_3.sys driver file is installed; it remains on the system even once the driver is unloaded.

Q: Has Dell remediated this for all new PCs shipping from the factory?
A: Yes, except for systems shipping with Dell Command Update, Dell Update, Alienware Update or Dell SupportAssist for PCs (Home and Business). Those systems will be automatically updated at first run of the Dell Command Update, Dell Update, Alienware Update and Dell SupportAssist for PCs (Home and Business). See the Step 2 in the “Remediation” section of the Dell Security Advisory DSA-2021-088 for details.

Q: Is this a Dell-only vulnerability?
A: Yes, this specific vulnerability affects the Dell-specific driver (dbutil_2_3.sys)

Q: Has the data on my Dell PC been compromised due to the reported vulnerability?
A: No. To have been impacted by this vulnerability, a malicious actor would need to have been granted access to your computer, for example through phishing, malware or by remote access to someone who requested it.
We are not aware of this vulnerability having been exploited by malicious actors to date, although we are aware that exploit code is now available.
As a reminder to help protect yourself from bad actors:

• Never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue if you did not contact Dell first for service or support.
• Dell will not contact customers unexpectedly by phone to request PC access in relation to this reported vulnerability.
• If you have not contacted Dell for service or support, do NOT provide access to your PC, or provide any personal data to the unsolicited caller. If you are not sure about a call you receive, hang up and immediately contact Dell Support. 

Q: What else can I do to help protect my data?
A: As with any device use, always be vigilant and use these top tips to help protect your data:

• Be cautious when clicking on links or attachments in emails you were not expecting, or that may try to trick you into opening them by indicating there is a problem with any of your accounts, orders, or other transactions, and further tricking you into clicking a link provided to help you fix the issue. This may be a malicious actor attempting to gain access to your device.
• Never give remote control to your computer to any unsolicited caller to fix an issue, even if they represent themselves as calling from Dell, or for another service provider on Dell’s behalf. If you did not contact Dell first to request a call, Dell will not make unexpected calls to you to request remote access.
• Never give your financial information to any unsolicited contacts who try to charge you to fix your computer.
• Never pay for Dell or any other technical support services with any type of gift card or by wiring funds. Dell will never ask you for these forms of payments.