Because tech vendors have turned to over-the-air updates – the idea is to not give their customers any excuses for not keeping firmware current – Eclypsium’s discovery of a chain of four vulnerabilities in the BIOSConnect feature within Dell Client BIOS all the more alarming.
The flaws, which affect 129 models of Dell laptops, desktops and tablets, have a cumulative CVSS score of 8.3, or High, since a privileged network actor can “impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device,” Eclypsium researchers wrote in a blog post. That would give attackers control of boot processes as well as subvert an operating system and high-layer security controls.
BIOSConnect is a feature on Dell SupportAssist, a support solution preinstalled on most Windows-based Dell machines. Among many support functions, it includes monitoring for hardware and software problems and assistance with troubleshooting and recovery after issues are found, the researchers said.
Eclypsium estimates the vulnerabilities affect 30 million devices, even secured-core PCs with Secure Boot enabled.
The researchers discovered the vulnerabilities on a Dell Secured-core PC Latitude 5310 that was using Secure Boot, and later confirmed the issue was broader, existing on other desktop and laptop models.
One of the vulnerabilities, CVE-2021-21571, essentially creates an insecure TLS from BIOS to the Dell HTTP server. The BIOSConnect accepts any valid wildcard certificate, which is what allows attackers with a privileged network position to impersonate Dell, then deliver their own content to the victim device.
“Any valid wildcard certificate issued by any of the built-in [certificate authorities] CAs contained within the BIOSConnect feature in BIOS will satisfy the secure connection condition, and BIOSConnect will proceed to retrieve the relevant files,” the researchers explained. “The bundle of CA root certificates in the BIOS image was sourced from Mozilla’s root certificate file.”
If the UEFI Secure Boot is disabled, then attackers can exploit the vulnerability to get arbitrary remote code execution in the UEFI/pre-boot environment on the client device without having to exploit additional buffer overflow vulnerabilities.
In addition, miscreants can exploit some HTTPS Boot configurations using the same underlying verification code. When verification is performed, “any valid certificate for any domain acquired from the same CA will be accepted, not just those for the configured remote boot server,” the researchers explained. They recommend not using CAs that issue certificates broadly.
The researchers said the system BIOS/UEFI must be updated for the systems affected, but warn users not to use BIOSConnect to perform the firmware update. “Instead, it is advisable to run the BIOS update executable from the OS after manually checking the hashes against those published by Dell,” they wrote.
After being contacted by Eclypsium, Dell worked on disclosing the flaw, issuing a security advisory and making updates available for all vulnerabilities on June 24.
“Dell customers must be prepared to act quickly to ensure their businesses are safe from this vulnerability,” said Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber.
Since cyber hygiene preparedness varies across organizations and “even from team to team within the same company,” though, Bar-Dayan recommends organizations assess their cybersecurity readiness by answering the following questions:
- Do I know what level of risk this vulnerability actually poses to my specific business?
- Is the risk posed by the Dell Client BIOS vulnerability more critical to my business than other vulnerabilities?
- Do I have a way to determine whether or not I am comfortable with this risk (gut feelings don’t count)?
- Are we properly resourced to do the work necessary to eliminate this risk through an orchestrated, deliberate vulnerability remediation campaign?
All good questions. How does your organization stack up?