Remote Code Execution Vulnerability Affects Millions of Dell Devices
The cumulative exploitation of the vulnerabilities allows attackers to impersonate Dell.com and carry out BIOS / UEFI attacks on 128 Dell laptops, tablets and PCs, including Secure Boot and Secured-core PCs. According to Eclypsium experts, such attacks allow attackers to take control of the system boot process.
Dell SupportAssist technology (usually preinstalled on Dell Windows devices) is used to manage support features, including troubleshooting and recovery. BIOSConnect can be used to recover the OS in case of damage, as well as to update the firmware.
The feature connects to the Dell cloud infrastructure to deliver the requested code to the user's device. Eclypsium researchers discovered four vulnerabilities in this process that could allow a privileged attacker on the network to execute arbitrary code into the BIOS of vulnerable machines.
The first is that any valid certificate is accepted when BIOSConnect connects to the Dell internal HTTP server, allowing an attacker to impersonate Dell and deliver malicious content to the victim's device.
Researchers have also found some HTTPS boot configurations that use the same basic verification code, potentially making them vulnerable to abuse.
Among other things, the experts identified three independent vulnerabilities, described as overflow errors. Two of them affect the OS recovery process, and another one affects the firmware update mechanism. All three vulnerabilities allow attackers to execute arbitrary code in the BIOS.