Skip to main content

Dell BIOS driver privilege flaws have been recently uncovered. They affect many different models of Dell on Windows 7 through Windows 10. More detail here:






This worklet will band-aid the issue by removing the dbutil_2_3.sys file until you can update any affected Dell systems to the latest firmware as detailed here (minimum firmware version for each model recommended is at the bottom of the page):


https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability



It appears that reintroduction of the dbutil_2_3.sys to affected systems is a possibility, so you’ll probably want to schedule this daily until you can get the firmware on the affected systems up to at least the versions recommended by Dell.



Evaluation:



# CVE-2021-21551 v2


# 05-07-2021





# File to check for existance


$dbsys = "dbutil_2_3.sys"





# Query WMI and get a list of all user profile locations


$profiles = (Get-WmiObject win32_userprofile).LocalPath


$userProfiles = $profiles | Where-Object { $_.Substring(0,8) -EQ "C:\Users" }





# Build a list of all possible locations


$fileList = @()





foreach ($profile in $userProfiles) {


    $fileList += "$profile\AppData\Local\Temp\$dbsys"


}


$fileList += "$env:SystemRoot\Temp\$dbsys"





# Check each location for potential file


$fileFound = $false





foreach ($file in $fileList) {


    


    if (Test-Path -PathType Leaf $file) {


        $fileFound = $true


    }


}





if ($fileFound -eq $true) { Exit 1 } else { Exit 0 }


Remediation:



# File to check for existance


$dbsys = "dbutil_2_3.sys"





# Query WMI and get a list of all user profile locations


$profiles = (Get-WmiObject win32_userprofile).LocalPath


$userProfiles = $profiles | Where-Object { $_.Substring(0,8) -EQ "C:\Users" }





# Build a list of all possible locations


$fileList = @()





foreach ($profile in $profiles) {


    $fileList += "$profile\AppData\Local\Temp\$dbsys"


}


$fileList += "$env:SystemRoot\Temp\$dbsys"





# Check each location and delete the file if found


foreach ($file in $fileList) {





    if (Test-Path -PathType Leaf $file) {





        Remove-Item $file -Force


        Start-Sleep 1 # Wait a second to make sure the OS has had a chance to remove the file.


        


        if (Test-Path -PathType Leaf $file) {


            Write-Output "WARNING: Unable to remove $file "


        }


        else {


            Write-Output "Successfully removed $file "


        }


    }


}

This looks good, but does not target other user profiles on the machine.



You can use something similar to the following:



# Query WMI and get a list of all user profile locations


$Profiles=(Get-WmiObject win32_userprofile).LocalPath





# Build a list of all possible locations


$FileList=@()


foreach ($profile in $profiles){


$FileList +="$profile\AppData\Local\Temp\dbutil_2_3.sys"


}


$FileList += "$env:SystemRoot\Temp\dbutil_2_3.sys"





# Check each location and delete the file if found. Log the results to StdOut.


$FileFound=$false


$Errors=$false


foreach ($file in $FileList){


if (test-path -PathType Leaf $file){


    $FileFound=$true


    Remove-Item $file -Force


    start-sleep 1 # Wait a second to make sure the OS has had a chance to remove the file.


    if (test-path -PathType Leaf $file){


        write-host "`tWARNING: Unable to remove dbutil_2_3.sys"


        $Errors=$true


    }


    else {


        write-host "`tSuccessfully removed dbutil_2_3.sys"


    }


}


    


}





if ($FileFound -eq $false){


write-host "`ndbutil_2_3.sys was not found on this system."


}








if ($Errors -eq $true){


exit 1


}

Thanks for the input @Tim_Manochehri. I agree your code is more thorough with looking for the file in all user profiles. I re-did my code using some of your suggested code. Thanks and have a great weekend!

Where does this store a log or output for the devices that it was able to remove or not able to remove the file?

Hi @jcropanese. It logs the results to the activity log.

Reply


Terms & ConditionsCookie settings