Preinstalled firmware updater puts 128 Dell models at risk

A firmware-update utility that comes preinstalled on at least 128 models of Dell laptops, desktops, servers, and tablets has multiple vulnerabilities that could allow a privileged attacker to install rogue code over the network, the computer maker and security firm Eclypsium announced on Thursday.

The four vulnerabilities affect an estimated 30 million devices that use the BIOSConnect functionality of Dell’s support utility SupportAssist, which allows computer users to remotely recover the operating system or update the firmware for a variety of Dell devices. One vulnerability allows an attacker with a “privileged network position to impersonate Dell” and send malicious code to the targeted system, while three other issues are buffer overflows that allow code execution to bypass the security of SecureBoot, Eclypsium stated.

If attackers can intercept the initial BIOSConnect traffic — thus, the “privileged network position” — they can use a wild-card certificate purchased from any of the certificate authorities trusted by Dell BIOSConnect to send code to the system, says Jesse Michael, principal researcher with Eclypsium.

“It allows an attacker to get an initial toehold within the client BIOS,” he says. “It is not something where you need to own the system through some other means and then do privilege escalations or lateral movement within the system. This is an initial code execution on the system through exploiting these other vulnerabilities.”

Attacks on firmware have increased, often as a way for attackers to gain a persistent beachhead on a system that survives reboots and attempts to remove any malicious files. About 83% of businesses have experienced an attack that targeted firmware in the past two years, according to a report published by Microsoft in March. Sophisticated malware frequently has firmware modules that attempt to infect the basic input/output system (BIOS), which, as the first software to run, has a privileged place in the order in the system boot sequence.

When Dell released a function to make updating BIOS easier, Eclypsium saw it as a fertile field of research. The company’s researchers discovered the vulnerabilities in early March and worked with Dell to remediate the issues.

On Thursday, Dell released an advisory for the four vulnerabilities, saying that the company had already closed two issues by updates to its servers. The other two issues, including the certification validation issue (CVE-2021-21571), can only be fixed by updating the BIOS.

To read the complete article, visit Dark Reading.