Dell has released remediations to fix four major security vulnerabilities found by Eclypsium researchers in the SupportAssist software. The vulnerability chain scores a 8.3 High CVSS base score and affects 129 Dell models, or over 30 million devices.
Owners and administrators of affected devices should apply updates to address the vulnerabilities immediately.
What is the nature of the vulnerabilties?
All four vulnerabilities were discovered by Eclypsium researchers and are found in Dell BIOSConnect and HTTPS Boot features. CVE-2021-21571 found that the TLS connection from BIOS to Dell is insecure and will accept any valid wildcard certificate included in the built-in CA root certificates. The other three vulnerabilities each would allow arbitrary code execution in BIOS.
The vulnerabilities would allow remote threat actors to conduct a person-in-the-middle attack, “to control the device’s boot process and subvert the operating system and higher-layer security controls,” according to Eclypsium researchers.
To exploit the vulnerability chain in BIOSConnect, a malicious actor must separately perform additional steps before a successful exploit, including: compromise a user’s network, obtain a certificate that is trusted by one of the Dell UEFI BIOS https stack’s built-in Certificate Authorities, and wait for a user who is physically present at the system to use the BIOSConnect feature or HTTPS Boot feature.
Around 129 Dell models are affected. The list is exhaustive. Visit Dell advisory DSA-2021-106 to see the table of affected devices.
Over 30 million Dell tablets, notebooks, and laptops are at risk of having the vulnerabilities exploited.
One vulnerability allows an unauthenticated attacker to use a person-in-the-middle attack, which may result in a denial of service attack or payload tampering.
The other three vulnerabilities allow an attacker with existing local admin access to run arbitrary code in BIOS, bypassing UEFI restrictions.
How can I remediate?
Two of the vulnerabilities, CVE-2021-21573 and CVE-2021-21574, were remediated server-side on May 28, 2021. The other two vulnerablities, CVE-2021-21571 and CVE-2021-21572, require updates and remediation steps.
Remediation steps are outlined in greater detail in the Dell advisory (also linked below). Eclypsium researchers recommend not using BIOSConnect to apply the listed BIOS updates. The updates for impacted systems are listed at Dell.com.
Novacoast’s May 7, 2021, Dell advisory: