Pierluigi Paganini June 24, 2021

Flaws affecting the BIOSConnect feature of Dell Client BIOS could be exploited by a privileged attacker to execute arbitrary code at the BIOS/UEFI level of the impacted device.

Researchers from cybersecurity firm Eclypsium discovered multiple vulnerabilities affecting the BIOSConnect feature of Dell Client BIOS that could be exploited by a privileged attacker to execute arbitrary code at the BIOS/UEFI level of the affected device.

“This chain of vulnerabilities has a cumulative CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.” reads the post published by Eclypsium. “Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.”

Below the list of vulnerability diclosed by the Eclypsium experts:

• CVE-2021-21571 – Insecure TLS connection from BIOS to Dell, allows threat actors to impersonate Dell.com and deliver malicious code to the victim’s device. The attack is possible because TLS connection from BIOSConnect will accept any valid wildcard certificate.
• CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574 – Overflow vulnerabilities enabling arbitrary code execution.

The flaw affects 129 models of consumer and business Dell laptops, desktops, and tablets, it also impacts devices protected by Secure Boot and Dell Secured-core PCs.

BIOSConnect provides network-based boot recovery, it allows users to recover their computer’s recovery partition in case of hard drive failure or corruption of the original partition. It allows the BIOS to connect to Dell’s servers via HTTPS to download an image of the operating system.

Experts pointed out that the successful exploitation of the issue could cause the loss of integrity of the devices ad opens the door to the remote execution of malicious code in the pre-boot environment bypassing security protections at the OS level.

The flaws were reported on March 3 and at the end of May, the vendor has released server-side updates to address CVE-2021-21573 and CVE-2021-21574. The PC maker released client-side BIOS firmware updates to address the other two flaws.

Dell also provides workarounds to disable both the BIOSConnect and HTTPS Boot features.

“Technology vendors of all types are increasingly implementing over-the-air update processes to make it as easy as possible for their customers to keep their firmware up to date and recover from system failures. And while this is a valuable option, any vulnerabilities in these processes, such as those we’ve seen here in Dell’s BIOSConnect can have serious consequences.” concludes the report. “The specific vulnerabilities covered here allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]