By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Dell issues update to fix four major vulnerabilities in BIOSConnect and HTTPS Boot

Dell has released remediations to fix four major security vulnerabilities found by Eclypsium researchers in the SupportAssist software. The vulnerability chain scores a 8.3 High CVSS base score and affects 129 Dell models, or over 30 million devices.

Owners and administrators of affected devices should apply updates to address the vulnerabilities immediately.

 
What is the nature of the vulnerabilties?

All four vulnerabilities were discovered by Eclypsium researchers and are found in Dell BIOSConnect and HTTPS Boot features. CVE-2021-21571 found that the TLS connection from BIOS to Dell is insecure and will accept any valid wildcard certificate included in the built-in CA root certificates. The other three vulnerabilities each would allow arbitrary code execution in BIOS.

The vulnerabilities would allow remote threat actors to conduct a person-in-the-middle attack, “to control the device’s boot process and subvert the operating system and higher-layer security controls,” according to Eclypsium researchers.


From Dell:

To exploit the vulnerability chain in BIOSConnect, a malicious actor must separately perform additional steps before a successful exploit, including: compromise a user’s network, obtain a certificate that is trusted by one of the Dell UEFI BIOS https stack’s built-in Certificate Authorities, and wait for a user who is physically present at the system to use the BIOSConnect feature or HTTPS Boot feature.

 
Affected products

Around 129 Dell models are affected. The list is exhaustive. Visit Dell advisory DSA-2021-106 to see the table of affected devices. 


Impact

Over 30 million Dell tablets, notebooks, and laptops are at risk of having the vulnerabilities exploited.

One vulnerability allows an unauthenticated attacker to use a person-in-the-middle attack, which may result in a denial of service attack or payload tampering.

The other three vulnerabilities allow an attacker with existing local admin access to run arbitrary code in BIOS, bypassing UEFI restrictions.


How can I remediate?

Two of the vulnerabilities, CVE-2021-21573 and CVE-2021-21574, were remediated server-side on May 28, 2021. The other two vulnerablities, CVE-2021-21571 and CVE-2021-21572, require updates and remediation steps.

Remediation steps are outlined in greater detail in the Dell advisory (also linked below). Eclypsium researchers recommend not using BIOSConnect to apply the listed BIOS updates. The updates for impacted systems are listed at Dell.com.


Resources

Dell advisory:
https://www.dell.com/support/kbdoc/en-us/000188682/dsa-2021-106-dell-client-platform-security-update-for-multiple-vulnerabilities-in-the-supportassist-biosconnect-feature-and-https-boot-feature

Eclypsium article:
https://eclypsium.com/2021/06/24/biosdisconnect/

BleepingComputer article:
https://www.bleepingcomputer.com/news/security/dell-supportassist-bugs-put-over-30-million-pcs-at-risk/

Novacoast’s May 7, 2021, Dell advisory:
https://news.novacoast.com/w/ZB4YsxQDNW9SLfnXD2i892cg/9JJj7CML892dq5h9dvqYctRw/yB763OvFTQRb763qLsQMacAvEQ

DW

Previous Post

Cisco Releases Security Updates for Multiple Products

Next Post

Critical PrintNightmare RCE Vulnerability Exploitable in Fully Patched Systems

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.