CVE-2021-21551
Published: 04 May 2021
Summary
CVE-2021-21551 is a high-severity Exposed IOCTL with Insufficient Access Control (CWE-782) vulnerability in Dell Dbutil. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability is an insufficient access control flaw, tracked as CVE-2021-21551, in the Dell dbutil_2_3.sys driver. It is assigned CWE-782 and carries a CVSS 3.1 base score of 8.8 with the vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The affected component is a kernel-mode driver distributed with multiple Dell client platforms.
A local authenticated user can send specially crafted IOCTL requests to the driver, enabling arbitrary kernel memory read and write operations. Successful exploitation can result in privilege escalation to kernel level, denial of service through system crashes, or disclosure of sensitive kernel memory contents.
Dell’s DSA-2021-088 advisory describes the issue and directs customers to install the updated driver versions provided in the security update package. Public proof-of-concept code demonstrating both memory read/write primitives and privilege-escalation chains has been published on Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-8823
Vulnerability details
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
- CWE(s)
- KEV Date Added
- 31 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on IOCTL requests to the dbutil_2_3.sys driver so that local users cannot perform arbitrary kernel read/write operations.
Limits privileges granted to the kernel driver, preventing a local authenticated user from obtaining kernel-level access via the exposed IOCTL interface.
Protects kernel memory regions from unauthorized read/write primitives that the vulnerable driver would otherwise allow.