Dell Issues Security Advisory to Address Flaws
Researchers at security firm Eclypsium report that they have identified four vulnerabilities that could affect 30 million users of computer technology company Dell’s laptops, desktops and tablets.
The date of discovery was not revealed, but the first bug was fixed May 18, Eclypsium reports. The vulnerabilities, which have a cumulative CVSS score of 8.3 (high), put at risk 129 Dell models, including devices protected by Secure Boot and Secured-core PCs, Eclypsium says.
Affecting the BIOSConnect feature within the Dell Client BIOS, the vulnerabilities allow adversaries to impersonate Dell.com and execute arbitrary code on the affected device’s BIOS, the researchers say.
BIOSConnect is a feature that allows users to perform a remote operating system recovery or update their devices’ firmware by connecting the device BIOS to Dell back-end services over the internet.
An attacker could leverage the vulnerabilities to remotely execute code in the pre-boot environment, the report says. “Such code may alter the initial state of an OS, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls,” it adds. (see: Assess Your Organization’s Firmware Security Risk).
Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, explains how the vulnerabilities may affect users.
“The disclosed vulnerabilities in Dell Client BIOS illustrate how an attacker targets the trust relationships present in a software solution. In this case, there are multiple targets ranging from a MITM [man-in-the-middle] compromise to one targeting the trust a user has in their ‘known good’ BIOS’ behavior. Dell has provided BIOS updates for the impacted systems and guidance for how to apply the patched BIOS to systems in such a way as to avoid the potential for compromise during the update mechanism,” Mackey tells Information Security Media Group.
By June 24, Dell had remediated the multiple vulnerabilities for Dell BIOSConnect and HTTPS Boot features available with some Dell Client platforms, the company tells ISMG in a statement.
“The features will be automatically updated if customers have Dell auto-updates turned on. We encourage customers to review the Dell Security Advisory for more information, and if auto-updates are not enabled, follow the remediation steps at their earliest convenience. Thanks to Eclypsium researchers for working directly with us to resolve the issue,” the statement says.
CVE-2021-21571 is an improper certificate validation vulnerability that a remote unauthenticated attacker can exploit using a man-in-the-middle attack, which may lead to a denial of service and payload tampering. It allows an attacker with a privileged network position to impersonate Dell and deliver attacker-controlled content back to the victim device.
The other flaws, dubbed CVE-2021-21572, CVE-2021-21573 and CVE-2021-21574, are buffer overflow vulnerabilities. An authenticated malicious admin user with local access to the system may potentially exploit these vulnerabilities to run arbitrary code and bypass UEFI restrictions.
The security update issued by Dell notes that CVE-2021-21573 and CVE-2021-21574 were remediated on the server side and require no additional customer action.
CVE-2021-21571 and CVE-2021-21572 require Dell Client BIOS updates to address the vulnerabilities, the update says, and it offers additional information to determine the version of the remediated Dell Client BIOS to apply to the affected system.