Using Sophos EDR to identify endpoints impacted by Dell kernel driver vulnerability CVE-2021-21551

ResourcesSophos EDRThreats & Malware

Use this query to identify which endpoints are impacted by the Dell kernel driver vulnerability CVE-2021-21551, and which are not.

May 06 2021 By

Multiple exploits have been found in one of Dell’s Windows kernel drivers. The five related bugs, which may lead to escalation of privileges, denial of service, or information disclosure, are collectively classified as CVE-2021-21551.

Dell issued a patch for these vulnerabilities on May 4th, 2021 and we recommend you apply it earliest opportunity.

The bugs go all the way back to 2009, and Dell’s official list of affected products stretches for many pages. As a result, the challenge for IT teams is identifying whether your organization is impacted by this issue, the scope of that impact, and how to focus your time and remediation efforts appropriately.

Query with Sophos EDR

Sophos Endpoint Detection and Response (EDR) makes it easy to identify whether you have the file associated with this vulnerability on a device, and how many devices have that file. This allows you to focus remediation efforts and quickly address the issue.

We have created a custom query to identify which endpoints across your estate are vulnerable and require your attention. It also confirms if an endpoint is not vulnerable.

Go to the Threat Analysis Center in Sophos Central, select Live Discover and create a new query.

Select Create new query

Cut and paste the query below:

    -- Check if the dbutil_2_3.sys file is present or not
SELECT
   CASE WHEN (SELECT 1 FROM file WHERE path 
LIKE 'C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys' OR path 
LIKE 'C:\Windows\Temp\dbutil_2_3.sys') = 1
      THEN 'SYSTEM REQUIRES ATTENTION: File for CVE-2021-21551 (dbutil_2.3.sys) located in directory '||
(SELECT directory FROM file WHERE path 
LIKE 'C:\Users\%\AppData\Local\Temp\dbutil_2_3.sys' OR path 
LIKE 'C:\Windows\Temp\dbutil_2_3.sys')
      ELSE 'File for CVE-2021-21551 (dbutil_2_3.sys) not found'
   END Status

 

Run the query across your estate.

Remediating impacted devices

Dell has provided instructions for manually removing the affected kernel driver, which it advises will be found in one of two places:

  • C:\Users\%USERNAME%\AppData\Local\Temp\dbutil_2_3.sys
  • C:\Windows\Temp\dbutil_2_3.sys

If you are nervous about removing system files by hand, Dell has published a download page with an automatic driver remover.

Learn more

For more information on the vulnerability and how it can be exploited, read the Sophos Naked Security article.

Sophos EDR is available for both endpoints and servers and is included in Intercept X subscriptions. You can run it for free, for thirty days:

  • Existing Sophos customers using Sophos Central can activate a free trial directly within their management console. Simply select Free Trials at the bottom of the left hand navigation bar.
  • Anyone not using Sophos can start a free trial via our website.

About the Author

Sophos is a global leader and innovator of advanced security solutions that defeat cyberattacks, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies. As one of the largest pure-play cybersecurity providers, Sophos defends more than 600,000 organizations and more than 100 million users worldwide from active adversaries, ransomware, phishing, malware, and more. Sophos’ services and products connect through the Sophos Central management console and are powered by Sophos X-Ops, the company’s cross-domain threat intelligence unit. Sophos X-Ops intelligence optimizes the entire Sophos Adaptive Cybersecurity Ecosystem, which includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity and information technology vendors. Sophos provides cybersecurity-as-a-service to organizations needing fully managed security solutions. Customers can also manage their cybersecurity directly with Sophos’ security operations platform or use a hybrid approach by supplementing their in-house teams with Sophos’ services, including threat hunting and remediation. Sophos sells through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.