4 Dell Bugs Could Affect 30 Million UsersDell Issues Security Advisory to Address Flaws
Researchers at security firm Eclypsium report that they have identified four vulnerabilities that could affect 30 million users of computer technology company Dell's laptops, desktops and tablets.
The date of discovery was not revealed, but the first bug was fixed May 18, Eclypsium reports. The vulnerabilities, which have a cumulative CVSS score of 8.3 (high), put at risk 129 Dell models, including devices protected by Secure Boot and Secured-core PCs, Eclypsium says.
Affecting the BIOSConnect feature within the Dell Client BIOS, the vulnerabilities allow adversaries to impersonate Dell.com and execute arbitrary code on the affected device's BIOS, the researchers say.
BIOSConnect is a feature that allows users to perform a remote operating system recovery or update their devices' firmware by connecting the device BIOS to Dell back-end services over the internet.
An attacker could leverage the vulnerabilities to remotely execute code in the pre-boot environment, the report says. "Such code may alter the initial state of an OS, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls," it adds. (see: Assess Your Organization's Firmware Security Risk).
Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, explains how the vulnerabilities may affect users.
"The disclosed vulnerabilities in Dell Client BIOS illustrate how an attacker targets the trust relationships present in a software solution. In this case, there are multiple targets ranging from a MITM [man-in-the-middle] compromise to one targeting the trust a user has in their 'known good' BIOS’ behavior. Dell has provided BIOS updates for the impacted systems and guidance for how to apply the patched BIOS to systems in such a way as to avoid the potential for compromise during the update mechanism," Mackey tells Information Security Media Group.
By June 24, Dell had remediated the multiple vulnerabilities for Dell BIOSConnect and HTTPS Boot features available with some Dell Client platforms, the company tells ISMG in a statement.
"The features will be automatically updated if customers have Dell auto-updates turned on. We encourage customers to review the Dell Security Advisory for more information, and if auto-updates are not enabled, follow the remediation steps at their earliest convenience. Thanks to Eclypsium researchers for working directly with us to resolve the issue," the statement says.
CVE-2021-21571 is an improper certificate validation vulnerability that a remote unauthenticated attacker can exploit using a man-in-the-middle attack, which may lead to a denial of service and payload tampering. It allows an attacker with a privileged network position to impersonate Dell and deliver attacker-controlled content back to the victim device.
The other flaws, dubbed CVE-2021-21572, CVE-2021-21573 and CVE-2021-21574, are buffer overflow vulnerabilities. An authenticated malicious admin user with local access to the system may potentially exploit these vulnerabilities to run arbitrary code and bypass UEFI restrictions.
The security update issued by Dell notes that CVE-2021-21573 and CVE-2021-21574 were remediated on the server side and require no additional customer action.
CVE-2021-21571 and CVE-2021-21572 require Dell Client BIOS updates to address the vulnerabilities, the update says, and it offers additional information to determine the version of the remediated Dell Client BIOS to apply to the affected system.
Update: This report noted Dell Secured-core PCs, i.e. those fitted with Microsoft’s System Guard firmware protection, were among those affected. Following publication, a Microsoft spokesperson contacted ISMG and noted: "The attack described in the published research circumvents protections provided by secure boot. However, Secured-core PCs go a step further and implement System Guard firmware protection which helps protect sensitive assets stored in virtualization-based security, like credentials, from attacks that take advantage of firmware vulnerabilities to bypass features like secure boot. The threat model of secured-core assumes a compromised firmware such as the case presented here, and thus the attack as described would still be subject to security verification by the firmware protection features in secured-core. A failure of verification by System Guard would cause the system to fail attestation and zero trust solutions like Microsoft’s conditional access would then block the device from protected cloud access. The documentation provided so far by the researchers do not demonstrate how System Guard could be bypassed using the discovered vulnerabilities."
However, Microsoft’s response was described by Mickey Shkatov, principal researcher at Eclypsium, as, "A strawman of our statements in order to divert attention from what we actually said. Remote attestation for access to cloud assets is irrelevant and does nothing to prevent exploiting a vulnerability in UEFI firmware to achieve arbitrary code execution in the pre-boot environment and leveraging that to gain access to user data on the device or gain arbitrary code execution once a user logs into the system. We'll be providing more details at our DEF CON talk."