Security researchers have warned that at least 30 million Dell computers may be at risk after discovering multiple vulnerabilities that could allow attackers to execute arbitrary code within the machines’ BIOS.
Security vendor Eclypsium said 129 Dell models were affected by the chain of four bugs, which have a cumulative CVSS score of 8.4 (high).
“These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls,” it explained in a blog post.
“As attackers increasingly shift their focus to vendor supply chains and system firmware, it is more important than ever that organizations have independent visibility and control over the integrity of their devices.”
The vulnerabilities affect BIOSConnect, a feature of SupportAssist which enables users to perform a remote OS recovery or update the firmware on the device by connecting its BIOS to Dell backend services over the internet.
The main issue centers around CVE-2021-21571, which describes an insecure TLS connection from a machine’s BIOS to the Dell backend, meaning it will accept “any valid wildcard certificate.” This could enable an attacker with a privileged network position to impersonate Dell and deliver malicious content back to the victim device, Eclypsium said.
The other three flaws — CVE-2021-21572, CVE-2021-21573 and CVE-2021-21574 — are overflow vulnerabilities, two of which affect the OS recovery process, while the other impacts the firmware update process.
“All three vulnerabilities are independent, and each one could lead to arbitrary code execution in BIOS,” Eclypsium explained.
The attack scenario described by Eclypsium would require an attacker to redirect a victim’s traffic, such as via “machine-in-the-middle” techniques. However, it claimed this would be a relatively low bar for sophisticated attackers capable of ARP spoofing and DNS cache poisoning or exploiting bugs in VPNs and home office networking equipment.
“Successfully compromising the BIOS of a device would give an attacker a high degree of control over a device,” explained Eclypsium.
“The attacker could control the process of loading the host operating system and disable protections in order to remain undetected. This would allow an attacker to establish ongoing persistence while controlling the highest privileges on the device.”
Dell has urged customers to update to the latest Dell Client BIOS version as soon as possible to mitigate the risk of attack.
Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said the discovery was “highly concerning.”
“BIOS is critical for a device boot process and its security is vital to ensure safety of the entire device. This is especially important in the current environment due to the increased wave of supply chain attacks,” he added.
“This chain of security vulnerabilities allow for bypass of secure boot protections, can be exploited to take complete control of the device and hence organizations should prioritize patching.”