Eclypsium researchers have identified multiple vulnerabilities affecting the BIOSConnect feature, allowing attackers to remotely execute code within the BIOS of impacted devices.

Dell SupportAssist is an overarching support solution that comes preinstalled on most Windows-based Dell machines. SupportAssist covers a range of support functions such as monitoring for hardware and software problems and assisting with troubleshooting and recovery when issues are found.

Researchers have identified a series of four vulnerabilities that would enable a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines.

The reasearchers identified one issue leading to an insecure TLS connection from BIOS to Dell (tracked as CVE-2021-21571) and three overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574).

Two of the overflow security flaws “affect the OS recovery process, while the other affects the firmware update process,” Eclypsium says. “All three vulnerabilities are independent, and each one could lead to arbitrary code execution in BIOS.”

Successfully compromising the BIOS of a device would give an attacker a high degree of control over a device. The attacker could control the process of loading the host operating system and disable protections in order to remain undetected. This would allow an attacker to establish ongoing persistence while controlling the highest privileges on the device.

The problem affects 129 different models of Dell laptops, tablets, and desktops, and an estimated 30 million individual devices. The issue has been found on Secured-core PCs even if Secure Boot is enabled. 

MITIGATIONS

The system BIOS/UEFI will need to be updated for all affected systems. However, the researchers recommend that users not use BIOSConnect to perform this firmware update.

Instead, it is advisable to run the BIOS update executable from the OS after manually checking the hashes against those published by Dell. 

Dell will be updating the affected executables delivered during the BIOSConnect firmware update and OS recovery processes. According to Dell, two of the vulnerabilities have been remediated on the server side, with additional updates coming in July.

Dell recommends all customers update to the latest Dell Client BIOS version at the earliest opportunity. Customers who choose not to apply BIOS updates immediately or who are otherwise unable to do so at this time should apply the below mitigation.

BIOSConnect:

Customers may disable the BIOSConnect feature using one of two options:

Option 1: Customers may disable BIOSConnect from the BIOS setup page (F2).

Note: Customers may find the BIOSConnect option under different BIOS setup menu interfaces depending on their platform model. These are referred below as BIOS Setup Menu Type A and BIOS Setup Menu Type B.

BIOS Setup Menu Type A: F2-> Update,Recovery -> BIOSConnect -> Switch to Off

BIOS Setup Menu Type B: F2 -> Settings -> SupportAssist System Resolution -> BIOSConnect -> Uncheck BIOSConnect option

Note: Dell recommends customers not to run “BIOS Flash Update – Remote” from F12 until the system is updated with a remediated version of the BIOS.

Option 2: Customers may leverage Dell Command | Configure (DCC)’s Remote System Management tool to disable the BIOSConnect and Firmware Over the Air (FOTA) BIOS settings.

HTTPS Boot

Customers may disable the HTTPS Boot feature using one of two options:

Option 1: Customers may disable BIOSConnect from the BIOS setup page (F2).

F2-> Connection -> HTTP(s) Boot -> Switch to Off

BIOS Setup Menu Type B: F2 -> Settings -> SupportAssist System Resolution -> BIOSConnect -> Uncheck BIOSConnect option

Option 2: Customers may leverage Dell Command | Configure (DCC)’s Remote System Management tool to disable HTTP Boot Support.