Additional Information Regarding DSA-2021-152: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell DBUtilDrv2.sys Driver

Frequently Asked Questions:

Q: How is this vulnerability different from the previous DButil vulnerability addressed in DSA-2021-088 ?
A: DSA-2021-088 addresses a vulnerability in the dbutil_2_3.sys driver (CVE-2021-21551). DSA-2021-152 addresses a vulnerability in versions 2.5 and 2.6 of the DBUtilDrv2.sys driver (CVE-2021-36276).

Q: Does this vulnerability impact all the same products impacted by DSA-2021-088?
A: No, products which were end of service life at the time of the publication of DSA-2021-088 are not impacted by this vulnerability in DBUtilDrv2.sys driver. However, all of the supported Dell platforms identified in Table A of DSA-2021-088 are likely impacted by this vulnerability because the recommendation in DSA-2021-088 was to apply this DBUtilDrv2.sys driver as its remediation. Six (6) platforms that were supported at the time of DSA-2021-088 have since reached end of service life and are now listed in Table B of DSA-2021-152.

Q: Does the "DBUtil Removal Utility" find and mitigate versions 2.5 and 2.6 of the DBUtilDrv2.sys driver, as well as the older versions of  the dbutil_2_3.sys  driver which were described in DSA-2021-088? Or would I need to separately run the “DBUtil Removal Utility" and the “Dell Security Advisory Update – DSA-2021-088” utility?
A: Yes, the “DBUtil Removal Utility" will find and mitigate all versions of the DBUtilDrv2.sys and dbutil_2_3.sys drivers as described in DSA-2021-088 and DSA-2021-152. There is no need to separately run the previous version of this utility.

Q: How do I know if I am impacted?
A: You may be impacted if you:

• have applied a BIOS, Thunderbolt, TPM, or dock firmware update to your system; or
• currently or have previously used Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business)

Alternatively, if you manually run the utility as described in Step 2.2.2, Option A, of Dell Security Advisory DSA-2021-152, the utility will indicate if the impacted versions 2.5 or 2.6  DBUtilDrv2.sys driver were found and remediated on the system. To view a list of the platforms with impacted firmware update utility packages and software tools, or to learn more about this vulnerability and how to mitigate it, see Dell Security Advisory DSA-2021-152

Q: I am using a Linux operating system. Does this issue impact me?
A: No, this vulnerability is only applicable when running Windows operating systems on an impacted Dell platform.

Q: What is the solution? How do I remediate this vulnerability?
A: All customers should execute the steps defined in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-152.

Q: Why are there multiple steps in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-152
A: Steps 2.1 and 2.2 are to immediately remediate this vulnerability. Step 2.3 is focused on informing you of how to obtain a remediated DBUtilDrv2.sys driver (version 2.7) during your next scheduled firmware update. For each step, Dell is offering different options, and you should choose the option that best matches your circumstances.

Q: I have never updated my firmware, used Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business); and I only get BIOS updates through Windows Updates. Am I affected?
A: No, Windows Updates does not install the affected  DBUtilDrv2.sys driver versions. (versions 2.5 and 2.6)  

Q: I am unsure if I am impacted. Is there something I can do to make sure my computer is not vulnerable?
A: Yes, you should execute the steps defined in sections 2.2 and 2.3 of Dell Security Advisory DSA-2021-152.

Q: Will you be pushing the “DBUtil Removal Utility”
 via Dell Command Update, Dell Update, Alienware Update, or SupportAssist
A: Yes. Refer to section 2.2.2 of Dell Security Advisory Update – DSA-2021-152. However, customers should execute all steps defined in section “2. Remediation Steps”, as applicable to your environment.

Q: I ran the “DBUtil Removal Utility” on my system to remove version 2.5 or 2.6 of the  DBUtilDrv2.sys driver, and after rebooting the system, I still see that version of the DBUtilDrv2.sys driver on my system. Why is that?
A: If:

1. You did not update all of the impacted products listed in Step 2.2.1 of the “Remediation” section before removing version 2.5 or 2.6 of the  DBUtilDrv2.sys driver, or
2. You run an impacted firmware update utility after removing the driver,

Q: After applying one of the options in Step 2.2.2 of Dell Security Advisory DSA-2021-152, I am unable to remove version 2.5 or 2.6 of the  DBUtilDrv2.sys driver, what should I do?
A: If:

1. You did not update all of the impacted products listed in Step 2.2.1 of the “Remediation” section before removing version 2.5 or 2.6 of the  DBUtilDrv2.sys driver, or
2. You ran an impacted firmware update utility after removing the driver,

Q: Will running the “DBUtil Removal Utility” install a remediated driver?
A: No. The remediated version of the driver will be installed on your system the next time you apply a remediated BIOS, Thunderbolt, TPM, or dock firmware update to your system; or run a remediated version of Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).

Q: How will I get the remediated version of the driver?
A: The remediated version of the DBUtilDrv2.sys driver (version 2.7) ) will be installed on your system the next time you apply a remediated BIOS, Thunderbolt, TPM, or dock firmware update to your system; or run a remediated version of Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).

Q: Can I manually remove version 2.5 or 2.6 of the DBUtilDrv2.sys driver?
A: Yes, follow Step 2.2.1 (as applicable) and Step 2.2.2, Option C of Dell Security Advisory DSA-2021-152 .

Q: If I manually want to remove the vulnerable driver files, how do I know I am removing the right file?
A: Use the following SHA-256 checksum values to confirm that you are removing the correct file:

• DBUtilDrv2 (v2.5)

• DBUtilDrv2 (v2.6)

Q: Would removing version 2.5 or 2.6 of the DBUtilDrv2.sys driver cause interoperability issues with other hardware or software?
A: No, the  DBUtilDrv2.sys driver is a utility driver that is used in firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business) to update drivers, BIOS, and firmware for your PC. It is not used by other hardware or software.

Q: I am an enterprise customer, what should I do?
A: Execute the remediation steps listed in section “2. Remediation Steps” of Dell Security Advisory DSA-2021-152. We understand that there are different infrastructure configurations and scenarios with varying levels of complexity. If you have any questions or need assistance, reach out to contact your Dell Account and/or Service Representative.

The following steps illustrate one way that an enterprise customer might deploy the "DBUtil Removal Utility" across their environment to complete Step 2.2.2 to remove version 2.5 or 2.6 of the DBUtilDrv2.sys driver from multiple systems.

1. Perform the following pre-deployment check.

• Update affected products deployed in your enterprise. See the “2. Remediation Steps” section of the Dell Security Advisory DSA-2021-152  to update Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent Dell Platform Tags, Dell BIOS Flash Utility, or SupportAssist for PCs (Home and Business).

Note: This pre-deployment step prevents instances of the  DBUtilDrv2.sys driver files from being locked during the operation of the “DBUtil Removal Utility” or subsequently being reintroduced after the utility has run.

2. Follow the steps below to remove the  impacted DBUtilDrv2.sys driver files from your environment using Microsoft Endpoint Configuration Manager (MECM) Configuration Item (CI).

• Setup the CI to execute a PowerShell script.
  • Factors such as disk size/utilization, type of disk, could cause scanning the entire disk drive to result in timeouts or errors. At a minimum, the following directories where the files are typically stored, should be scanned. If choosing to go down this route, update the relevant variables, for example, “%windir%\temp” and “%localappdata%\temp”.
  • In the PowerShell script, provide the SHA-256 checksum values to verify the file being deleted,
• DBUtilDrv2 (v2.5)

• DBUtilDrv2 (v2.6)

• After creating the CI with the PowerShell script, a Configuration Baseline is created and deployed to “All Systems” collection. Depending on your MECM configuration, you might have to separate the deployment according to considerations like different computer chassis, models, etc.
• Setup “collections” to log successful completion. For example, you might create a “Compliant” collection for systems where no error code was returned or file was not detected, and “Non-Compliant” collection for systems where an error code was returned.
• After running the CI, review the Non-Compliant collection. You might find the following instances:
  • Systems that have older version of affected products referenced above
  • Systems requiring a reboot
  • Systems where CI failed to execute due to timeout
• Choose the “Required” (vs “Available) deployment method to make this mandatory.
  • The “DBUtil Removal Utility” provides exit codes that may be used by MEC

MSI Exit Code	Description	Error Code
0	Action completed successfully.	ERROR_SUCCESS
1603	Fatal error during installation.	ERROR_INSTALL_FAILURE
3010	A reboot is required to complete the install. This does not include installs where the ForceReboot action is run. This error code not available on Windows Installer version 1.0.	ERROR_SUCCESS_REBOOT_REQUIRED

Q: How is the impacted Dell BIOS Flash Utility different from the impacted Dell BIOS update utilities?
A: The Dell BIOS update utilities contain a specific BIOS update for a platform and also apply the update to the platform. The Dell BIOS Flash Utility is used by enterprises only to apply BIOS updates, but it does not carry a specific BIOS update. See the BIOS Installation Utility  knowledge base article for more information.

Q: I am using a supported platform and I plan to update a driver, BIOS, or firmware on my system. However, either there is not yet an updated package that contains a remediate dbutil driver for my platform, or I need to apply an unremediated package. What should I do?
A: After you update your BIOS, Thunderbolt firmware, TPM firmware or dock firmware using a vulnerable firmware update package, you must then execute Step 2.2  of Dell Security Advisory DSA-2021-152 immediately following the update in order to remove the  DBUtilDrv2.sys (versions 2.5 and 2.6) driver from your system. This action must occur even if you have previously performed this step.

Q: I am using an end of service life platform and plan to update a driver, BIOS, or firmware on my system; however, there is not an updated package that contains a remediated dbutil driver. What should I do?
A: After you update your BIOS, Thunderbolt firmware, TPM firmware or dock firmware using a vulnerable firmware update package, you must then execute Step 2.2 of Dell Security Advisory DSA-2021-152  immediately following the update in order to remove the  DBUtilDrv2.sys (versions 2.5 and 2.6) driver from your system. This action must occur even if you have previously performed this step.

Q: Is there another way to update BIOS without exposing myself to the vulnerable 2.5 or 2.6 DBUtilDrv2.sys driver?
A: Yes, BIOS updates can be initiated using the F12 One Time Boot menu. Most Dell computers manufactured after 2012 have this function, and you can confirm by booting the computer to the F12 One Time Boot Menu. If you see “BIOS FLASH UPDATE” listed as a boot option, then the Dell computer supports this method of updating the BIOS using the One Time Boot Menu. Detailed steps are outlined in this support document: Flashing the BIOS from the F12 One-Time Boot Menu.
 
Q: Is Dell aware of this vulnerability being exploited?
A: We are not aware of this vulnerability having been exploited by malicious actors to date

Q: Could a malicious actor exploit this vulnerability?
A: A malicious actor would first need to be granted access to your PC, for example through phishing, malware or by you granting remote access. To help protect yourself from malicious actors, never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue.
We are not aware of this vulnerability having been exploited by malicious actors to date.

Q: Is my system always at risk when a vulnerable  version 2.5 or 2.6 DBUtilDrv2.sys driver is on the system?
A: No, first version 2.5 or 2.6 of the DBUtilDrv2.sys driver must be loaded into memory when an administrator runs one of the impacted firmware update utility packages, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent, Dell Platform Tags, Dell BIOS Flash Utility or Dell SupportAssist for PCs (Home and Business). Once version 2.5 or 2.6 of the DBUtilDrv2.sys driver is unloaded from memory after reboot or removed from your computer, the vulnerability is no longer a concern.

Q: Is this vulnerability remotely exploitable?
A: No, the vulnerability cannot be exploited remotely. A malicious actor must first obtain (local) authenticated access to your device.

Q: Is this DBUtilDrv2.sys driver pre-loaded on my system?
A: No, Dell computers do not ship with the  DBUtilDrv2.sys driver pre-installed, nor does the Dell Command Update, Dell Update, Alienware Update or Dell SupportAssist for PCs (Home and Business) pre-load the  DBUtilDrv2.sys driver. The  DBUtilDrv2.sys driver is installed and loaded on-demand by initiating the firmware update process and then unloaded after a system reboot.
Note: Once the vulnerable DBUtilDrv2.sys (version 2.5) driver files are installed; they may remain on the system even once the driver is unloaded.

Q: Has Dell remediated this for all new PCs shipping from the factory?
A: Yes, all systems manufactured on or after July 19, 2021 with Dell Command Update, Dell Update, Alienware Update or Dell SupportAssist for PCs (Home) have been remediated.

Q: Is this a Dell-only vulnerability?
A: Yes, this specific vulnerability affects versions 2.5 and 2.6 of the Dell-specific driver (DBUtilDrv2.sys driver).

Q: Has the data on my Dell PC been compromised due to the reported vulnerability?
A: No. To have been impacted by this vulnerability, a malicious actor would need to have been granted access to your computer, for example through phishing, malware or by remote access to someone who requested it.
We are not aware of this vulnerability having been exploited by malicious actors to date. 
As a reminder to help protect yourself from bad actors:

• Never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue if you did not contact Dell first for service or support.
• Dell will not contact customers unexpectedly by phone to request PC access in relation to this reported vulnerability.
• If you have not contacted Dell for service or support, do NOT provide access to your PC, or provide any personal data to the unsolicited caller. If you are not sure about a call you receive, hang up and immediately contact Dell Support. 

Q: What else can I do to help protect my data?
A: As with any device use, always be vigilant and use these top tips to help protect your data:

• Be cautious when clicking on links or attachments in emails you were not expecting, or that may try to trick you into opening them by indicating there is a problem with any of your accounts, orders, or other transactions, and further tricking you into clicking a link provided to help you fix the issue. This may be a malicious actor attempting to gain access to your device.
• Never give remote control to your computer to any unsolicited caller to fix an issue, even if they represent themselves as calling from Dell, or for another service provider on Dell’s behalf. If you did not contact Dell first to request a call, Dell will not make unexpected calls to you to request remote access.
• Never give your financial information to any unsolicited contacts who try to charge you to fix your computer.
• Never pay for Dell or any other technical support services with any type of gift card or by wiring funds. Dell will never ask you for these forms of payments.