Vulnerabilities in Dell computers allow RCE at the BIOS/UEFI level
An estimated 30 million Dell computers are affected by several vulnerabilities that may enable an attacker to remotely execute code in the pre-boot (BIOS/UEFI) environment, Eclypsium researchers have found.
The vulnerabilities affect 128 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs.
The problem resides in the BIOSConnect feature of Dell SupportAssist, a solution that comes preinstalled on most Windows-based Dell machines and helps users troubleshoot and resolve hardware and software problems.
BIOSConnect helps perform a remote OS recovery or update the firmware on the device, and it does so by connecting to Dell backend services over the internet, downloading the needed software/firmware, and coordinating the recovery/update process.
Unfortunately, as the researchers found, these processes can be subverted to deliver malicious content to a target machine.
Eclypsium uncovered four vulnerabilities.
CVE-2021-21571 stems from the fact that the TLS connection from BIOSConnect to the backend Dell HTTP server will accept any valid wildcard certificate issued by any of the built-in CA’s contained within the BIOSConnect feature. The problem is in the certificate verification code, which is also present in some of the HTTPS Boot configurations.
“This allows an attacker with a privileged network position to impersonate Dell and deliver attacker-controlled content back to the victim device,” the researchers explained.
CVE-2021- 21572, CVE-2021-21573, CVE-2021-21574 are three overflow vulnerabilities, two of which affect the OS recovery process, and one the firmware update process. Each one of these could lead to arbitrary code execution in the pre-boot environment.
Concatenated, these vulnerabilities may allow a privileged network adversary (e.g., executing a Machine-in-the-Middle attack) to gain control of the target device’s boot process and subvert the operating system and higher-layer security controls.
“Because this attack is delivered directly to firmware, it is invisible to most endpoint security software,” noted Jesse Michael, Principal Analyst at Eclypsium.
How to fix this?
The researchers disclosed the existence of the vulnerabilities to Dell in March 2021.
CVE-2021-21573 and CVE-2021-21574 have been fixed on the server side in late May 2021 and require no action/intervention by the device owners.
The CVE-2021-21571 and CVE-2021-21572 vulnerabilities, on the other hand, require Dell Client BIOS updates. Dell is pushing out some of the updates today, and others are planned for July.
Users of Dell computers are advised to check the list of vulnerable device models (available in Dell’s security advisory) and see whether they are affected. If they are, they should apply the BIOS updates via one of the recommended methods.
If implementing the update is impossible, the risk of the vulnerabilitie being exploited can be temporariliy be mitigated by disabling the BIOSConnect and HTTPS Boot features.
Michael also added that, even when CVE-2021-21571 is removed, organizations should make sure that internal systems using HTTPS Boot have certificates fully controlled by the organization (and not by CAs that issue certificates broadly).
Eclypsium researchers will share more details about the discovered vulnerabilities at this year’s DEF CON.