On December 13, Rapid7 released an analysis of Dell’s fix for a “write-what-where” vulnerability (CVE-2021-21551) they patched in May of this year. Unfortunately, the patch did not fully remediate the issue, but instead only limited access to administrative users. While the patch will most likely deter less skilled attackers, the possibility of exploitation still exists.
It is recommended to utilize Microsoft’s driver block rules in order to mitigate this vulnerability. Rapid7 researcher Jake Baines explains, “The Dell drivers are not currently in the [block rule] list, but Dell has indicated they are working with Microsoft to add dbutil_2_3.sys.” Binary Defense recommends a thorough survey of infrastructure to provide teams accurate information when qualifying risk. In cases like these, a proactive defense strategy, such as targeted Threat Hunting, will help bolster defenses and identify potential compromise.