Posted on June 24, 2021 at 5:09 PM
Millions Of Dell Devices Are Exposed To BIOSConnect Code Execution Bugs
The firmware foundational computer code has been riddled with bugs over the years, as it’s difficult to update with patches.
And real-world attackers have increasingly targeted these bugs to exploit users. In a recent development, four basic vulnerabilities have been found in Dell devices that could be easily exploited by threat actors.
Eclypsium research firm recently found out that the new bugs impact 128 recent models of Dell computers, including tablets, laptops, and desktops. According to the researchers, the vulnerabilities have put over 30 million devices at risk of exploitation. Additionally, the exploits can be used on models that use Microsoft’s Secured-core PC protections.
The system was designed to reduce the vulnerability in the software. However, Dell says it will be releasing updates and fixes for the vulnerability on June 24.
According to the security researchers’ report, the vulnerabilities enable threat actors to remotely execute code in a pre-boot environment.
The report is titled “BIOS Disconnect” and it provides details about the bug in Dell’s tool in SupportAssist, which is preinstalled in Dell tablets and computers.
BIOSConnect TLS accepts any wildcard certificate
The main vulnerability is a TLS connection that is insecure and connected between BIOS and Dell. This gives the attacker the access to impersonate Dell and send attacker-controlled content to the targeted device.
The security report noted that the BIOSConnect TLS accepts any valid wildcard certificate.
Jesse Michael, principal researcher at Eclypsium stated that the security team used a certificate to demonstrate the attack scenario and that it costs the firm about 70 to 80 euros.
The other three bugs are overflow vulnerabilities that come to light through an insecure TLC connection.
The bugs, when exploited, enable arbitrary code execution at the BIOS/Unified Extensible Firmware Interface (UEFL) level.
The researchers also stated that there are situations where these extra vulnerabilities are not needed to execute codes on the targeted devices.
Scott Scheferman, principal cyber strategist at Eclypsium stated that some of the Dell devices can be exploited without the additional vulnerabilities, giving an example when Secure Boot is disabled.
“If you have Secure Boot disabled, for example, you don’t need the three buffer overflows,” he stated.
Flaws are easy to exploit
The researchers have also described the vulnerabilities as very easy to exploit Michael stated that the whole scenario is a reminder of how easy it is to exploit devices back in the ‘90s.
While the industry has grown tremendously when it comes to addressing security issues, it’s not being followed up by best practices, stated.
He said organizations and individuals are not applying the much-publicized best practices in new firmware security features to protect devices.
The four bugs discovered in the BIOSConnect by the researchers will not enable threat actors to seed malicious Dell firmware updates to all users at the same time. But they can still be exploited to gain remote access to the firmware.
Bugs cannot be directly exploited in the open
When the device’s firmware is compromised, it can give the threat actors complete control of the device. This is because the firmware of a device controls the software and the device, and runs as a precursor to the device’s applications and operating system.
Another thing the researchers noted is the fact that the threat actors cannot exploit the four BIOSConnect vulnerabilities directly from the open internet. This is because they require an entrance into the internal network of the targeted devices.
However, the bugs are still attractive to attackers due to their lack of monitoring and ease of exploitation.
When the threat actors succeed in compromising the firmware, they can remain hidden in the device for a long time.
Patches to the bug available
The Eclypsium researchers say the bug was disclosed to Dell in March and will be presenting their findings in August at the Defcon security conference in Las Vegas.
After the notification, Dell provided several remedies to quell the vulnerabilities for Dell BIOSConnect, although this is not available on all Dell client platforms.
Dell says the features will be updated automatically in some systems if their users turn on the auto-update features. But Eclypsium researchers cautioned that it’s safer to download the update manually rather than allowing it to run automatically.