According to a recent security analysis by Eclypsium, there’s currently a series of four security bugs present in 129 Dell laptop models that could allow cybercrime actors to gain remote access and execute arbitrary code in the pre-boot environment of the affected machines. It has been estimated that the total number of laptops affected by this series of flaws is approximately 30 million.
All of the laptops that have these bugs are protected by Secure Boot – a security standard that ensures the computer is only allowed to boot using software that is trusted by the device’s manufacturer. Apparently, the four bugs can allow attackers to circumvent this defensive standard. The CVSS score of the bugs, which indicates how severe they are, is 8.3.
More specifically, the four flaws are related to the BIOSConect feature that Windows-based Dell machines have. This feature is primarily used for updating firmware and for remote OS recoveries.
According to the analysts, such remote, or “over-the-air”, updates are becoming more common for the sake of convenience and a faster updating process. However, it also leads to an increased potential for security flaws, as is the current case.
The analysis elaborates that the vulnerabilities can be used by attackers to exploit the targeted machine’s UEFI firmware in order to gain full Admin privileges. The researchers note that criminal actors would likely continue to target remote update functionality in the future due to the factors that were mentioned.
The “Gatekeeper” Flaw
The first of the flaws is dubbed CVE-2021-21571, and it is at the start of the remote code execution chain. When the BIOSConnect feature gets activated and initiates a connection to a backend Dell HTTP server to install an update or perform a recovery, the BIOS system gets enabled to remotely reach the Dell services over the web in order to coordinate the update/recovery. The weakness here stems from the fact that the TLS connection accepts any valid certificate, meaning that all that the attacker needs is to have a privileged position in the network in order to impersonate the backend Dell server and then deliver their own code into the targeted system.
The researchers at Eclypsium point out that the dell.com certificate verification is done through getting the DNS record from the 18.104.22.168 server and then connecting to the download Dell site. However, so long as the certificate is issued by a valid Certificate Authorities according to the BIOSConnect standard, it will satisfy the security feature and a connection will be established.
The Attack Path
Once the first bug gets exploited, the criminal actor would have three distinct options – to exploit either one of the other three reported bugs: CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574. Each of them can be exploited to launch malicious code in the pre-boot environment of the attacked machine.
Two of the remaining three flaws affect the recovery process of the system, and the third one is related to the remote updates.
Regardless of the specific attack path, a previously performed machine-in-the-middle attack, which can be done without too much difficulty. According to Eclypsium, this type of attacks are not very challenging to experienced cybercrime actors – they can use DNS cache poisoning or ARP spoofing techniques that are quite common nowadays. The report also states that flaws in VPN services can also allow the attacker to intercept the traffic of its victim, and there’s currently no shortage of such flaws.
For the criminals who may attempt such an attack, there’s a lot to gain if the attack i successful, that would make all the effort they may put into it well worth. Due to the wide range of permissions and privileges the hacker would gain if the attack succeeds, they’d even be able to disable certain protection features, thus making their presence in the system unnoticed. From then on, there’s really no limit to what the attacker may be able to do in the compromised system.
Dell Addressing the Issue
Dell has addressed this issue with a series of emergency security patches to the BIOS of the affected computers, the majority of which are scheduled to be released on Thursday and the rest are to come in July.
The researchers at Eclypsium recommend running update executables for the BIOS manually after the user checks their hashes and compares them to to the ones published by Dell.