Skip to main content

WARNING ⚠️ ; Over 30 Million Dell Devices at Risk for Remote BIOS Attacks, RCE.


dell security flaw
Four separate security bugs would give attackers almost complete control and persistence over targeted devices, thanks to a faulty update mechanisms.

A high-severity series of four vulnerabilities can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on Dell devices, researchers said. They affect an estimated 30 million individual Dell endpoints worldwide.

According to an analysis from Eclypsium, the bugs affect 129 models of laptops, tablet and desktops, including enterprise and consumer devices, that are protected by Secure Boot. Secure Boot is a security standard aimed at making sure that a device boots using only software that is trusted by the device original equipment manufacturer (OEM), to prevent rogue takeovers.

The bugs allow privileged network adversaries to circumvent Secure Boot protections, control the device’s boot process, and subvert the operating system and higher-layer security controls, researchers at Eclypsium said on Thursday. They carry a cumulative CVSS score of 8.3 out of 10.

“Technology vendors of all types are increasingly implementing over-the-air update processes to make it as easy as possible for their customers to keep their firmware up to date and recover from system failures,” researchers noted in an analysis. “And while this is a valuable option, any vulnerabilities in these processes, such as those we’ve seen here in Dell’s BIOSConnect, can have serious consequences.”Specifically, the issues affect the BIOSConnect feature within Dell SupportAssist (a technical support solution that comes preinstalled on most Windows-based Dell machines). BIOSConnect is used to perform remote OS recoveries or to update the firmware on the device.

The report noted that the specific vulnerabilities allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device.

“This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future,” the report concluded.

Insecure TLS Connection: Impersonating Dell

The first vulnerability (CVE-2021-21571) is the beginning of a chain that can lead to remote code execution (RCE).

When BIOSConnect attempts to connect to the backend Dell HTTP server to perform a remote update or recovery, it enables the system’s BIOS (the firmware used to perform hardware initialization during the booting process) to reach out to Dell backend services over the internet. Then, it coordinates an update or recovery process.

The issue is that the TLS connection used to connect BIOS to the backend servers will accept any valid wildcard certificate, Eclypsium researchers said. So, an attacker with a privileged network position can intercept that connection, impersonate Dell and deliver attacker-controlled content back to the victim device.

“The process of verifying the certificate for dell.com is done by first retrieving the DNS record from the hard-coded server 8.8.8.8, then establishing a connection to [Dell’s download site],” according to the analysis. “However, any valid wildcard certificate issued by any of the built-in Certificate Authorities contained within the BIOSConnect feature in BIOS will satisfy the secure connection condition, and BIOSConnect will proceed to retrieve the relevant files. The bundle of CA root certificates in the BIOS image was sourced from Mozilla’s root certificate file (certdata.txt).”

Overflow Vulnerabilities Enabling Arbitrary Code Execution

Once this first “gatekeeper” bug is exploited to deliver malicious content back to the victim machine, attackers then have a choice of three distinct and independent overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, CVE-2021-21574), any of which can be used to gain pre-boot RCE on the target device, researchers said.

Two of the vulnerabilities affect the OS recovery process, while the third affects the firmware update process, according to Eclypsium, which isn’t releasing further technical details yet.

The attack scenario: Click to enlarge. Source: Eclypsium

Any attack scenario would require an attacker to be able to redirect the victim’s traffic, such as via a machine-in-the-middle (MITM) attack – something that’s not much of a barrier, researchers said.

“Machine-in-the-middle attacks are a relatively low bar to sophisticated attackers, with techniques such as ARP spoofing and DNS cache poisoning being well-known and easily automated,” according to the report. “Additionally, enterprise VPNs and other network devices have become a top target of attackers, and flaws in these devices can allow attackers to redirect traffic. And finally, end-users working from home are increasingly reliant on SOHO networking gear. Vulnerabilities are quite common in these types of consumer-grade networking devices and have been exploited in widespread campaigns.”

The groundwork effort to carry out an attack is likely a positive tradeoff for cybercriminals, given that a successful compromise of the BIOS of a device would allow attackers to establish ongoing persistence while controlling the highest privileges on the device. This is because they would control the process of loading the host operating system, and would be able to disable protections in order to remain undetected, the report noted.

“The virtually unlimited control over a device that this attack can provide makes the fruit of the labor well worth it for the attacker,” Eclypsium researchers said.

Dell Issues Patches

Dell has now pushed out patches for BIOS on all of the affected systems. For details, refer to its advisory.

“It is advisable to run the BIOS update executable from the OS after manually checking the hashes against those published by Dell,” Eclypsium recommended, rather than relying on BIOSConnect to apply BIOS updates.

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.