Skip to main content

WARNING ⚠️ ; Over 30 Million Dell Devices at Risk for Remote BIOS Attacks, RCE.


dell security flaw
Four separate security bugs would give attackers almost complete control and persistence over targeted devices, thanks to a faulty update mechanisms.

A high-severity series of four vulnerabilities can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on Dell devices, researchers said. They affect an estimated 30 million individual Dell endpoints worldwide.

According to an analysis from Eclypsium, the bugs affect 129 models of laptops, tablet and desktops, including enterprise and consumer devices, that are protected by Secure Boot. Secure Boot is a security standard aimed at making sure that a device boots using only software that is trusted by the device original equipment manufacturer (OEM), to prevent rogue takeovers.

The bugs allow privileged network adversaries to circumvent Secure Boot protections, control the device’s boot process, and subvert the operating system and higher-layer security controls, researchers at Eclypsium said on Thursday. They carry a cumulative CVSS score of 8.3 out of 10.

“Technology vendors of all types are increasingly implementing over-the-air update processes to make it as easy as possible for their customers to keep their firmware up to date and recover from system failures,” researchers noted in an analysis. “And while this is a valuable option, any vulnerabilities in these processes, such as those we’ve seen here in Dell’s BIOSConnect, can have serious consequences.”Specifically, the issues affect the BIOSConnect feature within Dell SupportAssist (a technical support solution that comes preinstalled on most Windows-based Dell machines). BIOSConnect is used to perform remote OS recoveries or to update the firmware on the device.

The report noted that the specific vulnerabilities allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device.

“This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future,” the report concluded.

Insecure TLS Connection: Impersonating Dell

The first vulnerability (CVE-2021-21571) is the beginning of a chain that can lead to remote code execution (RCE).

When BIOSConnect attempts to connect to the backend Dell HTTP server to perform a remote update or recovery, it enables the system’s BIOS (the firmware used to perform hardware initialization during the booting process) to reach out to Dell backend services over the internet. Then, it coordinates an update or recovery process.

The issue is that the TLS connection used to connect BIOS to the backend servers will accept any valid wildcard certificate, Eclypsium researchers said. So, an attacker with a privileged network position can intercept that connection, impersonate Dell and deliver attacker-controlled content back to the victim device.

“The process of verifying the certificate for dell.com is done by first retrieving the DNS record from the hard-coded server 8.8.8.8, then establishing a connection to [Dell’s download site],” according to the analysis. “However, any valid wildcard certificate issued by any of the built-in Certificate Authorities contained within the BIOSConnect feature in BIOS will satisfy the secure connection condition, and BIOSConnect will proceed to retrieve the relevant files. The bundle of CA root certificates in the BIOS image was sourced from Mozilla’s root certificate file (certdata.txt).”

Overflow Vulnerabilities Enabling Arbitrary Code Execution

Once this first “gatekeeper” bug is exploited to deliver malicious content back to the victim machine, attackers then have a choice of three distinct and independent overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, CVE-2021-21574), any of which can be used to gain pre-boot RCE on the target device, researchers said.

Two of the vulnerabilities affect the OS recovery process, while the third affects the firmware update process, according to Eclypsium, which isn’t releasing further technical details yet.

The attack scenario: Click to enlarge. Source: Eclypsium

Any attack scenario would require an attacker to be able to redirect the victim’s traffic, such as via a machine-in-the-middle (MITM) attack – something that’s not much of a barrier, researchers said.

“Machine-in-the-middle attacks are a relatively low bar to sophisticated attackers, with techniques such as ARP spoofing and DNS cache poisoning being well-known and easily automated,” according to the report. “Additionally, enterprise VPNs and other network devices have become a top target of attackers, and flaws in these devices can allow attackers to redirect traffic. And finally, end-users working from home are increasingly reliant on SOHO networking gear. Vulnerabilities are quite common in these types of consumer-grade networking devices and have been exploited in widespread campaigns.”

The groundwork effort to carry out an attack is likely a positive tradeoff for cybercriminals, given that a successful compromise of the BIOS of a device would allow attackers to establish ongoing persistence while controlling the highest privileges on the device. This is because they would control the process of loading the host operating system, and would be able to disable protections in order to remain undetected, the report noted.

“The virtually unlimited control over a device that this attack can provide makes the fruit of the labor well worth it for the attacker,” Eclypsium researchers said.

Dell Issues Patches

Dell has now pushed out patches for BIOS on all of the affected systems. For details, refer to its advisory.

“It is advisable to run the BIOS update executable from the OS after manually checking the hashes against those published by Dell,” Eclypsium recommended, rather than relying on BIOSConnect to apply BIOS updates.

Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...