Dell Security Flaw Dates Back to 2009

A Dell driver flaw which could allow a local authenticated attacker to gain elevated privileges on the system has been resolved. The vulnerability was caused by an insufficient access control vulnerability in the dbutil_2_3.sys driver. An attacker could exploit this vulnerability to gain elevated privileges, obtain sensitive information or cause a denial of service due to improper access restrictions within the Dell dbutil driver dbutil_2_3.sys.

Dell has remediated the dbutil driver and has released firmware update utility packages for supported platforms running Windows 10, Dell Command Update, Dell Update, Alienware Update, Dell System Inventory Agent and Dell Platform Tags.

Vulnerability Details

• CVSS Score: 8.8
• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope (Jump Point): Changed

How Syxsense Can Help

This vulnerability poses a very significant risk as it has a Low Attack Complexity, Low privileges requires and the Scope is Changed.  Scope is what we call a ‘Jump Point’ – which means an active exploit can jump from one technology to another.

Customers of Syxsense Manage and Syxsense Secure can request a custom to detect and remediate your vulnerable devices.

Apple Patches MacOS Bug

On Monday, April 26^th Apple released MacOS 11.3, a security rollup patch which remediates multiple known attack vectors. Among these vectors is CVE-2021-30657, an exploit which has been used since January to push unchecked payloads to user computers by bypassing Apple’s security tools when a user attempts to use an infected installation package.

Under the Hood

Under normal circumstances, when a MacOS user opens an application installer, the installer is first put through Apple’s anti-malware detection suite. This process contains a multi-functional mesh of security checks and scans.

The first layer of the anti-malware mesh is the File Quarantine tag. Apple first started securing users against tainted downloads in OSX Leopard by implementing file quarantining. This security attribute marks un-identified files as unsafe by applying a quarantine tag to the file’s attributes. When opening files with the quarantine tag, access will either be prompted or denied, depending on the policies applied to the computer.

Iterating on the File Quarantine tags, Apple introduced an additional layer of security in OSX Lion named Gatekeeper. The macOS Gatekeeper checks code-signing information on all new files accessed by the system to ensure that the file conforms to system policies. If the file does not meet the system policy requirement, the access is either revoked or prompted depending on applied policies.

More recently, Apple introduced new functionality in macOS Catalina which requires pre-authorization by Apple before an application is released to the public with a process titled Notarization. With this new tool, software authors provide their software to Apple prior to public release for an automated security scan.

Once the scan completes, Apple provides an attribute tag for the software which verifies its authenticity and safety. If a user attempts to install software without this attribute, the software is flagged by the anti-malware suite and access is either denied or prompted based on computer policy.

Below is the prompt generated by the Notarization, Gatekeeper, and Quarantine processes working in concert to defend against a potentially dangerous executable.

How It Works

CVE-2021-30657 manages to bypass all layers of macOS’s anti-malware suite by re-building it’s payload bundles with specifically mischaracterized property files. When a re-bundled payload is passed through the detection suite, the file contents are not recognized by the File Quarantine and Notarization processes and are default allowed by the anti-malware tools.

Because payloads using the CVE-2021-30657 exploit are default allowed, the Gatekeeper process never gets activated and the user is never given a security prompt. Instead, the payload is quietly executed, and the computer becomes compromised. In its current iteration, the well-known malware suite Shlayer is known to use CVE-2021-30657 to silently push payloads to endpoints while masquerading as an Adobe Flash Player update.

The Take-Away

There are two major takeaways from CVE-2021-30657.

First, never download applications from untrusted or third-party sites. Where possible, always install applications from the Mac App store or directly from well-known publishers like Microsoft or Adobe. When installing software not found on the Mac App store, make sure you are on the publishers’ website, and not a third-party website. These unsecure sites may contain reuploads of authentic software packages which contain software exploits similar to CVE-2021-30657.

Second, make sure that you keep your operating system up to date. MacOS 11.3 introduces patches which safeguard against CVE-2021-30657 and ensures that users are correctly prompted or denied before executing potentially dangerous executables.

How Syxsense Secure Can Help

Syxsense Secure provides automated patch management, vulnerability scanning, and IT management. It can detect if an endpoint is vulnerable to CVE-2021-30657 and deploy the corresponding security update efficiently, before any damage is done.

Syxsense Secure also provides the ability to push software to endpoint devices, limiting the attack surface of your company and providing your end users with safe access to the tools they need. Syxsense Secure also includes advanced features such as patch supersedence, patch roll back, and a wealth of automation and configuration features.

Further, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.