[BreachExchange] Eclypsium: BIOSConnect Flaws Haunt Millions of Dell Computers

[Sophia Kingsbury]

https://www.securityweek.com/eclypsium-biosconnect-flaws-haunt-millions-dell-computers

Eclypsium, a U.S. company that addresses firmware security threats, said
the issue affects 129 Dell models of consumer and business laptops,
desktops, and tablets, including devices that use Microsoft’s new
Secured-core PC protections.

The company published a technical report to document the discovery, which
affects an estimated 30 million Dell computer devices.  Separately, Dell
released software fixes alongside a warning that this should be treated as
a high-impact issue.

In all, Dell shipped patches for at least four documented CVEs credited to
Eclypsium researchers Mickey Shkatov and Jesse Michael.  The researchers
plan to discuss the vulnerabilities and potential impact at this years DEF
CON security conference.

The Eclypsium researchers found the problems in the BIOSConnect feature
within Dell Client BIOS.  “[This issue] allows a privileged network
adversary to impersonate Dell.com and gain arbitrary code execution at the
BIOS/UEFI level of the affected device. Such an attack would enable
adversaries to control the device’s boot process and subvert the operating
system and higher-layer security controls,” Shkatov and Michael said in a
published paper.

“These vulnerabilities enable an attacker to remotely execute code in the
pre-boot environment. Such code may alter the initial state of an operating
system, violating common assumptions on the hardware/firmware layers and
breaking OS-level security controls,” the researchers said.

The problematic BIOSConnect feature lives within another updating mechanism
called SupportAssist that’s used to handle update and remote management on
Dell computers.

Specifically, the Dell UEFI BIOS https stack leveraged by the Dell
BIOSConnect feature and Dell HTTPS Boot feature contains an improper
certificate validation vulnerability. “A remote unauthenticated attacker
may exploit this vulnerability using a person-in-the-middle attack which
may lead to a denial of service and payload tampering,” Dell warned in its
advisory.

Dell confirmed and patched three additional issues identified by Eclypsium,
including a buffer overflow bug in Dell BIOSConnec that could allow an
authenticated malicious admin user with local access to the system to run
arbitrary code and bypass UEFI restrictions.

Eclypsium is warning that this combination of remote exploitability and
high privileges will likely make remote update functionality an alluring
target for attackers in the future.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210625/a78d7050/attachment.html>