Bugs Found in Dell SupportAssist Allowed Attackers to Remotely Execute Code

Four major security vulnerabilities were discovered in the BIOSConnect feature of Dell SupportAssist. The Dell SupportAssist vulnerabilities were allowing attackers to remotely execute code within the BIOS of impacted devices.

The SupportAssist software is preinstalled on most Dell devices running Windows operating system, while BIOSConnect provides remote firmware update and OS recovery features.

The chain of flaws that were discovered by the Eclypsium researchers comes with a CVSS base score of 8.3/10 and enables privileged remote attackers in order to impersonate Dell.com and take control of the target device’s boot process to break OS-level security controls.

Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.

The issue affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs.

Source

One issue identified is leading to an insecure TLS connection from BIOS to Dell (tracked as CVE-2021-21571) and three overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574).

When looking at the overflow security flaws it was discovered that two of them were affecting the OS recovery process, while the other ones were affecting the firmware update process.

Users Are Advised to Not Use BIOSConnect to Update Their BIOS

The users will have to update the system BIOS/UEFI for all affected systems, but the researchers recommend using an alternate method other than the SupportAssist’s BIOSConnect feature.

It looks like CVE-2021-21573 and CVE-2021-21574 are not requiring additional customer actions as they were addressed server-side on May 28, 2021, but CVE-2021-21571 and CVE-2021-21572 do require for the Dell Client BIOS updates to be fully addressed.

The specific vulnerabilities covered here allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device.

This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future, and organizations should make sure to monitor and update their devices accordingly.

Source

Unfortunately, this is not the first time when Dell computer owners have been exposed to attacks by security vulnerabilities found in the SupportAssist software, as in May 2019, the company patched a high-severity SupportAssist remote code execution (RCE) vulnerability caused by an improper origin validation weakness.

SupportAssist was patched also in February 2020, in order to address a security flaw created by a DLL search-order hijacking bug that enabled local attackers to execute arbitrary code with Administrator privileges on vulnerable devices.

We must also note that just last month Dell addressed a flaw that was making possible the escalation of privileges from non-admin users to kernel privileges by using a bug found in the DBUtil driver that ships with tens of millions of Dell devices.

Similar Posts