Security researchers have discovered a chain of Dell Client BIOS (BIOSConnect feature) vulnerabilities that impact 129 Dell models and millions of Dell devices worldwide.
The Eclypsium researchers discovered the collection of High severity vulnerabilities that allow an attacker with privileges to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.
“These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls,” wrote Eclypsium in a blog post on Thursday.
The Eclypsium team initially found 128 affected models, but was later contacted by Dell who confirmed there are now 129 models models of consumer and business laptops, desktops, and tablets. These also include devices protected by Secure Boot and Dell Secured-core PCs.
Moreover, Eclypsium disclosed the vulnerabilities and coordinated with the Dell PSIRT team. Dell subsequently released a Security Advisory and is scheduling BIOS/UEFI updates for affected devices.
Dell advisory and mitigations
A Dell Security Advisory listed four vulnerabilities:
- CVE-2021-21571: Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering.
- CVE-2021-21572, CVE-2021-21573, CVE-2021-21574: Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.
The cumulative score of the vulnerability chain is 8.3 and rated High severity.
Two of the vulnerabilities (CVE-2021-21573 and CVE-2021-21574) were fixed by Dell on the server side on May 28, 2021 and require no additional customer action.
The remaining two (CVE-2021-21571 and CVE-2021-21572) require Dell Client BIOS updates to address the vulnerabilities.
Dell advises customers use one of the approved methods to update their systems such as downloading updates from their Drivers & Updates page, flash their system via F12 boot or use their notification solution to get notified and download when BIOS updates are available.
Readers may also recall just last month when researchers discovered a Dell BIOS driver privilege escalation vulnerability CVE-2021-21551, a collection of five flaws that had exposed hundreds of millions of Dell computers.
At that time, experts from SentinelLabs warned the high severity bugs had remained undisclosed for 12 years and could have allowed attacker to escalate privileges from a non-privileged user to kernel mode privileges.