Four separate security bugs would give attackers almost complete control and persistence over targeted devices, thanks to a faulty update mechanism.
A high-severity series of four vulnerabilities can allow remote adversaries to gain arbitrary code execution in the pre-boot environment on Dell devices, researchers said. They affect an estimated 30 million individual Dell endpoints worldwide.
According to an analysis from Eclypsium, the bugs affect 129 models of laptops, tablet and desktops, including enterprise and consumer devices, that are protected by Secure Boot. Secure Boot is a security standard aimed at making sure that a device boots using only software that is trusted by the device original equipment manufacturer (OEM), to prevent rogue takeovers.
The bugs allow privileged network adversaries to circumvent Secure Boot protections, control the device’s boot process, and subvert the operating system and higher-layer security controls, researchers at Eclypsium said on Thursday. They carry a cumulative CVSS score of 8.3 out of 10.
Specifically, the issues affect the BIOSConnect feature within Dell SupportAssist (a technical support solution that comes preinstalled on most Windows-based Dell machines). BIOSConnect is used to perform remote OS recoveries or to update the firmware on the device.
“Technology vendors of all types are increasingly implementing over-the-air update processes to make it as easy as possible for their customers to keep their firmware up to date and recover from system failures,” researchers noted in an analysis. “And while this is a valuable option, any vulnerabilities in these processes, such as those we’ve seen here in Dell’s BIOSConnect, can have serious consequences.”
The report noted that the specific vulnerabilities allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device.
“This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future,” the report concluded.