Millions of Dell Devices Exposed to Remote Attacks

Cyber security researchers recently published a report detailing four security issues with Dell devices. The estimation lists 30 million Dell endpoints that could suffer remote code execution and BIOS attacks.

ZDNet reported on the issue, quoting analysts working with enterprise security firm Eclypsium. The researchers listed a total of 129 Dell-branded laptops, tablets and pre-built desktop computers, as well as enterprise-grade Dell hardware that suffer from the four critical bugs. The bugs have to do with the implementation of Secure Boot on the devices.

Secure Boot is an industry standard worked out as a joint effort between various PC industry enterprises and its purpose is to ensure that the devices protected with it can only boot when the software used in the boot procedure is trusted by the OEM. The purpose of the technology is to prevent malicious takeovers and kernel-level tampering.

The bugs discovered by Eclypsium allowed hackers to get around the protection offered by Secure Boot and gain complete control over the device's bootup procedure, effectively gaining access to the device and its OS. The four bugs have been scored with a severity score of 8.3 out of 10 under the Common Vulnerability Scoring System.

The four bugs have to do with a solution called BIOSConnect - an implementation found on a lot of Dell hardware that is supposed to provide support options for customers. Using BIOSConnect, legitimate support technicians can update the firmware on the device running BIOSConnect and can also execute system restore operations remotely.

The security analysts noted that similar remote support implementations are getting increasingly more common not just with Dell but with other hardware vendors. Even though the convenience of this type of remote support is undeniable, the associated risks that go with it should not be overlooked, as shown by the discovery of those critical bugs.

Some of the bugs rely on overflow vulnerabilities, while the main one that is used to gain entry and registered as CVE-2021-21571 is related to the way the BIOSConnect software contacts Dell's backend support servers.

When the BIOSConnect software connects to the servers, it would give the ok to any wildcard certificate. This means that an attacker who has privileged network access may abuse this and hijack the connection, then install whatever they want on the victim's system, and the end user would be none the wiser.

Dell have already started pushing live patches for the issue. The company released an official advisory note and updates for a large number of affected devices. The remainder of the updates are expected in the coming days, likely in early July.

June 24, 2021