14 DAY TRIAL // Due to Dell's flawed update method, hackers may be able to exploit four separate vulnerabilities in order to gain complete control of affected devices. This issue affects 129 tablets, laptops, and PCs, all of which being protected by Secure Boot. The security flaws have a CVSS rating of 8.3 out of 10, says Threat Post.
According to Eclypsium researchers, the flaws allow privileged network attackers to bypass Secure Boot protections, affect the device boot, subvert the OS system and higher-layer security controls. They estimated that 30 million Dell devices are affected worldwide.
Dell began releasing patches for some of its devices yesterday, with more to follow next month.
The flaw is in a utility feature called BIOSConnect, which is used to do remote OS recoveries or firmware updates on the device. Dell SupportAssist, a support tool that comes preloaded on these devices, comes preinstalled on all Dell PCs, laptops, and tablets running Windows. This function uses the BIOSConnect feature, making devices vulnerable.
Attack process
The first phase begins with BIOSConnect attempting for remote update or recovery by connecting to the Dell HTTP server. In the second phase, the utility tool allows the system’s BIOS to access Dell's Internet backend services, allowing the update or recovery process to begin.
The method is described in the analysis: “The process of verifying the certificate for dell.com is done by first retrieving the DNS record from the hard-coded server 8.8.8.8, then establishing a connection to [Dell’s download site]".
“However, any valid wildcard certificate issued by any of the built-in Certificate Authorities contained within the BIOSConnect feature in BIOS will satisfy the secure connection condition, and BIOSConnect will proceed to retrieve the relevant files. The bundle of CA root certificates in the BIOS image was sourced from Mozilla’s root certificate file (certdata.txt)".
After the first stage of the attack is complete, hackers can choose one of three different and independent overflow vulnerabilities: CVE-2021-21572, CVE-2021-21574, CVE-2021-21573 to gain pre-boot remote code execution on the target device.
Cybercriminals can exploit these vulnerabilities and launch successful attacks on Dell devices if they compromise the BIOS, establish ongoing persistence while maintaining the device's greatest privileges and disable protections to remain undetected.