Dell SupportAssist bugs put over 30 million PCs at risk

Security researchers have found four major security vulnerabilities in the BIOSConnect feature of Dell SupportAssist, allowing attackers to remotely execute code within the BIOS of impacted devices.

According to an evaluation from Eclypsium, the bugs impact 129 unique models of laptops, tablet and desktops, including enterprise and shopper units, that are shielded by Safe Boot. Safe Boot is a security typical aimed at making absolutely sure that a product boots applying only software package that is reliable by the system authentic devices producer (OEM), to protect against rogue takeovers.

Dell SupportAssist, often pre-installed on Windows-based Dell machines, is used to manage support functions including troubleshooting and recovery. The BIOSConnect facility can be used to recover an OS in cases of corruption as well as to update firmware. In order to do so, the feature connects to Dell’s cloud infrastructure to pull requested code to a user’s device. The researchers discovered four vulnerabilities in this process that would allow “a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines.”

Additionally, the team found some HTTPS Boot configurations which use the same underlying verification code, potentially rendering them exploitable. Three independent vulnerabilities, described as overflow bugs, were also uncovered by the researchers. Two impacted the OS recovery process, whereas the other was present in the firmware update mechanism. In each case, an attacker could perform arbitrary code execution in BIOS. However, the technical details of these vulnerabilities will not be disclosed until an upcoming DEFCON presentation in August. 

The reasearchers identified one issue leading to an insecure TLS connection from BIOS to Dell (tracked as CVE-2021-21571) and three overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574).

When BIOSConnect attempts to hook up to the backend Dell HTTP server to accomplish a remote update or recovery, it permits the system’s BIOS (the firmware utilized to conduct components initialization in the course of the booting course of action) to access out to Dell backend products and services more than the internet. Then, it coordinates an update or recovery system. The issue is that the TLS relationship applied to join BIOS to the backend servers will take any legitimate wildcard certification, Eclypsium scientists said. So, an attacker with a privileged network posture can intercept that relationship, impersonate Dell and deliver attacker-managed content back to the target system.

“The approach of verifying the certificate for dell.com is performed by 1st retrieving the DNS document from the tricky-coded server 8.8.8.8, then setting up a link to [Dell’s download site],” according to the examination. “However, any valid wildcard certificate issued by any of the constructed-in Certification Authorities contained in the BIOSConnect characteristic in BIOS will satisfy the safe connection situation, and BIOSConnect will commence to retrieve the applicable data files. The bundle of CA root certificates in the BIOS picture was sourced from Mozilla’s root certification file (certdata.txt).”