30 Million Dell Devices Vulnerable to Remote BIOS Attacks
Four high severity vulnerabilities can allow hackers to remotely execute malicious in the pre-boot environment on Dell devices. The security flaw affects an estimated 30 million systems. Four separate security bugs would give hackers complete control and persistence over targeted devices, thanks to a faulty update mechanism. According to an analysis from Eclypsium, the flaws affect 129 models of laptops, tablet and desktops that are protected by Secure Boot. Secure Boot is a security standard that makes sure that a device boots using only software that is trusted by the device original equipment manufacturer (OEM), to prevent takeovers.
The bugs allow hackers to circumvent Secure Boot protections, control the device’s boot process, and circumvent the operating system and higher-layer security controls. The issues affect the BIOSConnect feature within Dell SupportAssist which comes preinstalled on most Windows-based Dell machines. BIOSConnect is used to perform remote OS recoveries or to update the firmware on the device.
When BIOSConnect attempts to connect to the backend Dell HTTP server to perform a remote update or recovery, it enables the system’s BIOS (the firmware used to perform hardware initialization during the booting process) to reach out to Dell backend services over the internet. Then, it coordinates an update or recovery process. The issue is that the TLS connection used to connect BIOS to the backend servers will accept any valid wildcard certificate, Eclypsium researchers said. So, an attacker with a privileged network position can intercept that connection, impersonate Dell and deliver attacker-controlled content back to the victim device.
The process of verifying the certificate for dell.com is done by retrieving the DNS record from the hard-coded server 8.8.8.8, then establishing a connection to Dell’s download site. B, any valid wildcard certificate issued by any of the built-in Certificate Authorities in the BIOSConnect in the BIOS will satisfy the secure connection condition, and BIOSConnect will proceed to retrieve the files. The bundle of CA root certificates in the BIOS image was sourced from Mozilla’s root certificate file.
Any attack scenario would require a hacker to be able to redirect the traffic, such as via a machine-in-the-middle attack. Machine-in-the-middle attacks are simple to sophisticated hackers with techniques such as ARP spoofing and DNS cache poisoning being well-known and easily automated. Enterprise VPNs and other network devices have become targets for hackers and flaws in these devices can allow hackers to redirect traffic. To make matters worse, end-users working from home are increasingly reliant on SOHO networking gear. Vulnerabilities are common in these types of consumer-grade networking devices and have been exploited in widespread campaigns.
Dell has now pushed out patches for BIOS on all of the affected systems. It is recommended to patch the bios. The combination of remote exploitability and high privileges will make remote update functionality a target for hackers. Vendors are increasingly implementing over-the-air update processes to make it easier for their customers to keep their firmware up to date. While this is a valuable option, any vulnerabilities in these processes, such as those in Dell’s BIOSConnect, can have serious consequences. Given that a successful compromise of the BIOS of a device would allow hackers to establish ongoing persistence while controlling the highest privileges on the device, the likelihood of hackers targeting these vulnerabilities are high. This is because they could control the process of loading the host operating system and be able to disable protections in order to remain undetected. The unlimited control over a device that this attack can provide makes their efforts well worth it for hackers.