Dell’s preinstalled software puts 30 million PCs at risk

Almost 30 million Dell computers and tablets have four new vulnerabilities that could lead to the distribution of malicious content and the execution of arbitrary code. If you are one of those Dell users looking to remediate your machine, TURN OFF automatic updates and apply them manually through the operating system.

Four new firmware vulnerabilities in 129 variants of personal desktops and laptops, tens of millions of devices are on display. Discovered by the Enterprise Firmware Protection Company Eclypse, the vulnerabilities reside in BIOSConnect, an update mechanism used for remote recovery of the device’s operating system or updating the firmware on the device.

BIOSConnect is a feature of Dell SupportAssist that is preinstalled on all Dell devices with the Windows operating system. According to Dell, BIOSConnect provides a basic platform for the BIOS to connect to a Dell HTTPS backend and upload an image via the https method. This foundation extends the serviceability feature set to improve the reliability experience on the box by adding cloud-based service operating system (SOS) support.

Source: Eclypse

If exploited, these vulnerabilities could expose the BIOS / UEFI of affected devices to the execution of arbitrary code by attackers who could impersonate and alter the boot process of devices. In addition, the exploitation of these four bugs could also degrade the operating system, as well as the security controls residing at a higher level.

“These vulnerabilities allow an attacker to execute code remotely in the preboot environment. Such code can alter the initial state of an operating system, violating common assumptions about hardware / firmware layers and breaking security controls at the operating system level ”, Explain Eclypse. “As attackers increasingly focus on vendor supply chains and system firmware, it is more important than ever that organizations have independent visibility and control over the integrity of their devices. “

Exploitation of these four vulnerabilities would not affect the entire software supply chain of updates provided by Dell. Even so, it can be used to target specific individuals.

Dell BIOSConnect vulnerability

Source: Eclypse

The important thing to note here is that firmware compromise via BIOSConnect grants attackers complete control over all components of the devices. This includes the system hardware as well as the software.

See also: IoT security: Microsoft’s next mountain to climb

What is BIOS?

BIOS stands for Basic Input or Output System. This is a low-level component of a computer, also known as firmware, that is installed on the motherboard and integrated into a small memory chip. BIOS provides the necessary instructions for a computer to perform preliminary tasks such as determining the boot device, the location of drivers and software required for interfacing, determining the flow of data between the operating system, and all hardware components, etc.

BIOS launches all connected hardware like processor, system memory, network cards, audio / video controllers, peripherals, chipset, internal drives and disk drivers, etc. when starting the operating system.

Manufacturers have now started to replace BIOS with Unified Extensible Firmware Interface or UEFI in newer computers.

Dell BIOSConnect vulnerabilities

Eclypsium has classified one of four vulnerabilities, followed by CVE-2021-21571, as an insecure TLS connection bug that exists when a machine’s BIOS connects to the Dell backend. We can guess that the bug exists due to an error in the way BIOSConnect validates the TLS certificate. As such, the bug weakens the device to accept any “valid wildcard certificate” for a secure network connection to Dell servers, and by extension malicious content.

The upside is that the attacker seeking to exploit CVE-2021-21571 must necessarily be on the network of the target computer.

The other three faults – CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574 – are overflow vulnerabilities. Of the three bugs, two affect the operating system recovery process, and the third is the firmware update process. Eclypsium discovered that the three vulnerabilities are independent of each other and could lead to the execution of arbitrary code in the BIOS.

The four vulnerabilities have a cumulative CVSS score of 8.3, placing them in the “High” severity category. These flaws reside in approximately 30 million Dell devices, including desktops, laptops, and tablets. Variants include Alienware, ChengMing, G Series, Inspiron, Latitude, OptiPlex, Precision, Vostro, and XPS.

Dell BIOSConnect Vulnerability Mitigation

Dell has been working with Eclypsium since March of this year when the latter informed the third supplier personal computers from the threat. Since then, Dell has made an update available for BIOS / UEFI.

Ironically, Eclypsium recommends against updating firmware with BIOSConnect, a component specifically designed to allow seamless updates. Instead, the company suggests that users manually download the BIOS update executable file and run it through the installed operating system.

Two of the three overflow vulnerabilities CVE-2021-21573 and CVE-2021-21574 were corrected by Dell on the server side. The other two should be addressed with updating the BIOS as soon as possible.

Disconnecting from BIOS or HTTPS boot also provides a temporary workaround, but reconnecting would again leave the device vulnerable to exploitation.

To disable BIOSConnect, follow the BIOS type A configuration menu: F2> Update, Recovery> BIOSConnect> Switch to Off WHERE BIOS Configuration Menu Type B: F2> Settings> SupportAssist System Resolution> BIOSConnect> Uncheck the BIOSConnect option.

To disable HTTPS Boot, follow BIOS setup page> Connection> HTTP (s) Boot> Switch to Off WHERE BIOS Configuration Menu Type B: F2> Settings> SupportAssist System Resolution> BIOSConnect> Uncheck the BIOSConnect option.

See also: Security alert! More than 5 billion iOS and Android users could be at risk

Closing thoughts

It remains unclear whether these four vulnerabilities are specific to the operating system since neither Eclypsium nor Dell has clarified. Additionally, due to SupportAssist’s previous bugs, its prospect as a tool that users can rely on for device management is questionable.

This is the fourth time in five years that Dell devices have suffered from low-level vulnerabilities, suggesting whether a security certification process including external audits is required for vendors.

Let us know if you enjoyed reading this news on LinkedIn, Twitter, Where Facebook. We would love to hear from you!

Comments are closed.