Nearly 30 million Dell computers and tablets are found to have four new vulnerabilities that could lead to malicious content delivery and arbitrary code execution. If you are one such Dell user looking to patch your machine, DISABLE automatic updates and apply them manually via the operating system.
Four new vulnerabilities at the firmware level in 129 variants of personal desktop computers and laptops risk tens of millions of devices. Discovered by enterprise firmware protection company EclypsiumOpens a new window , the vulnerabilities reside in BIOSConnect, an update mechanism that is used for remote recovery of the device operating system or updating the firmware on the device.
BIOSConnect is a feature of Dell’s SupportAssist thatis preinstalled on all Dell devices with Windows OS. According to Dell, BIOSConnect provides a foundation platform allowing BIOS to connect to a Dell HTTPS backend and load an image via https method. This foundation expands the Serviceability feature set to enhance the on-box reliability experience by adding cloud-based Service OS (SOS) support.
Opens a new window
Source: Eclypsium
If exploited, these vulnerabilities could expose the affected devices BIOS/UEFI to arbitrary code execution by attackers who could impersonate Dell.com and, and alter the device boot process. Moreover, exploitation of these four bugs could also debase the operating system, as well as security controls residing at a higher level.
“These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls,†explainedOpens a new window Eclypsium. “As attackers increasingly shift their focus to vendor supply chains and system firmware, it is more important than ever that organizations have independent visibility and control over the integrity of their devices.â€
The exploitation of these four vulnerabilities wouldn’t affect the complete software supply chain of the updates provided by Dell. Even so, it can be used for targeting specific individuals.Â
Opens a new window
Source: Eclypsium
The important thing to note here is that compromising the firmware through the BIOSConnect grants attackers complete control over all components of devices. This includes the system hardware as well as the software.
See Also: IoT Security: Microsoft’s Next Mountain to Climb
What is the BIOS?
BIOS stands for Basic Input or Output System. It is a low-level component of a computer, also called firmware, that is installed on the motherboard and is embedded on a small memory chip. BIOS provides the instructions needed in a computer to carry out preliminary tasks such as boot device determination, driver and software location necessary for interfacing, determination of the data flow between OS and all hardware components, etc.
BIOS initiates all attached hardware like the processor, system memory, network cards, a/v controllers, peripherals, chipset, internal drives & disk drivers, etc. while booting the OS.
Manufacturers have now started replacing BIOS with Unified Extensible Firmware Interface or UEFI in newer computers.
Dell BIOSConnect Vulnerabilities
Eclypsium classified one of the four vulnerabilities, tracked CVE-2021-21571, as an insecure TLS connection bug existing when a machine’s BIOS connects to the Dell backend. One can guess that the bug exists due to an error in how BIOSConnect validates the TLS certificate. As such, the bug weakens the device to accept any ‘valid wildcard certificate’ for a secure network connection with Dell servers, and by extension malicious content.
The bug does have a silver lining, which is that the attacker seeking to exploit CVE-2021-21571Opens a new window necessarily needs to be on the target computer’s network.
The other three flaws — CVE-2021-21572Opens a new window , CVE-2021-21573Opens a new window , and CVE-2021-21574 Opens a new window — are overflow vulnerabilities. Of the three bugs, two affect the OS recovery process, and the third is in the firmware update process. Eclypsium found that all three vulnerabilities are independent of the other, and could lead to arbitrary code execution in BIOS.
All four vulnerabilities have a cumulative CVSS score of 8.3Opens a new window , placing them in the ‘High’ severity category. These flaws reside in approximately 30 million Dell devices including desktops, laptops, and tablets. Variants include Alienware, ChengMing, G Series, Inspiron, Latitude, OptiPlex, Precision, Vostro, and XPS.Â
Mitigation of Dell BIOSConnect Vulnerabilities
Dell has been working with Eclypsium since March this year when the latter apprised the third-largest vendorOpens a new window of personal computers of the threat. Since then Dell has made available an update for the BIOS/UEFI.
Ironically, Eclypsium recommends not to update the firmware with BIOSConnect, a component specifically designed to enable seamless updates. Instead, the company suggests users to manually download the BIOS update executable file, and run it through the installed operating system.
Two of the three overflow vulnerabilities CVE-2021-21573 and CVE-2021-21574 have been fixed by Dell on the server-side. The remaining two need to be addressed with the BIOS update as soon as possible.
Disconnecting the BIOS or the HTTPS Boot provides a temporary workaround as well, but reconnecting would make the device vulnerable to exploitation, again.
To disable BIOSConnect, follow BIOS Setup Menu Type A: F2 > Update, Recovery > BIOSConnect > Switch to Off OR BIOS Setup Menu Type B: F2 > Settings > SupportAssist System Resolution > BIOSConnect > Uncheck BIOSConnect option.
To disable HTTPS Boot, follow BIOS setup page > Connection > HTTP(s) Boot > Switch to Off OR BIOS Setup Menu Type B: F2 > Settings > SupportAssist System Resolution > BIOSConnect > Uncheck BIOSConnect option.
See Also: Security Alert! More Than 5 Billion iOS and Android Users Could Be at Risk
Closing Thoughts
It remains unclear whether these four vulnerabilities are OS-specific since neither Eclypsium nor Dell clarified it. Moreover, owing to previous SupportAssist bugs, its prospect as a tool for users to rely on for device management is questionable.
This is the fourth time in five years that Dell devices are found to be plagued with low-level flaws, which makes one think if a security certification process that includes external audits is required for vendors.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!