BIOSConnect code execution bugs impact millions of Dell devices

A critical bug chain allows attackers to impersonate the vendor and impact code at the root level.

Researchers have discovered a set of vulnerabilities that can be chained together to perform code execution attacks on Dell machines. 

On Thursday, Eclypsium said the vulnerabilities, which together equate to a critical chain with a cumulative CVSS score of 8.3, were discovered in the BIOSConnect feature within Dell SupportAssist. 

Altogether, the security flaws could be exploited to impersonate Dell.com and attack the BIOS/UEFI level in a total of 128 Dell laptops, tablets, and desktop models, including those with Secure Boot enabled and Secured-core PCs, owned by millions of consumers and business users. 

According to Eclypsium, "such an attack would enable adversaries to control the device's boot process and subvert the operating system and higher-layer security controls." 

Dell SupportAssist, often pre-installed on Windows-based Dell machines, is used to manage support functions including troubleshooting and recovery. The BIOSConnect facility can be used to recover an OS in cases of corruption as well as to update firmware. 

In order to do so, the feature connects to Dell's cloud infrastructure to pull requested code to a user's device. 

The researchers discovered four vulnerabilities in this process that would allow "a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines."

The first issue is that when BIOSConnect attempts to connect to Dell's backend HTTP server, any valid wildcard certificate is accepted, "allow[ing] an attacker to impersonate Dell and deliver attacker-controlled content back to the victim device."

Additionally, the team found some HTTPS Boot configurations which use the same underlying verification code, potentially rendering them exploitable. 

Three independent vulnerabilities, described as overflow bugs, were also uncovered by the researchers. Two impacted the OS recovery process, whereas the other was present in the firmware update mechanism. In each case, an attacker could perform arbitrary code execution in BIOS.

However, the technical details of these vulnerabilities will not be disclosed until an upcoming DEFCON presentation in August. 
 
"An attack scenario would require an attacker to be able to redirect the victim's traffic, such as via a Machine-in-the-Middle (MITM) attack," the researchers say. "Successfully compromising the BIOS of a device would give an attacker a high degree of control over a device. The attacker could control the process of loading the host operating system and disable protections in order to remain undetected."

Eclypsium completed its investigation into Dell's software on March 2 and notified Dell PSIRT a day later, which acknowledged the report. The vendor has since issued a security advisory and has scheduled BIOS/UEFI updates for impacted systems. 

Dell device owners should accept BIOS/UEFI updates as soon as they are available -- and patches are due to be released today. The vendor has also provided mitigation options, as detailed in the firm's advisory. 

"Dell remediated multiple vulnerabilities for Dell BIOSConnect and HTTPS Boot features available with some Dell Client platforms," Dell told ZDNet. "The features will be automatically updated if customers have Dell auto-updates turned on. We encourage customers to review the Dell Security Advisory (DSA-2021-106) for more information, and if auto-updates are not enabled, follow the remediation steps at their earliest convenience. Thanks to Eclypsium researchers for working directly with us to resolve the issue."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0