Cybersecurity researchers have discovered four critical vulnerabilities in the pre-boot environment of Dell devices that exposes them to remote code execution attacks.
Security vendor Eclypsium reports that the vulnerabilities in Dell’s BIOSConnect tool affect well over a hundred Dell device models including both consumers and business desktops, laptops, and tablets.
BIOSConnect is the firmware updates and remote operating system recovery tool feature that is part of the SupportAssist support tool that comes bundled with Dell computers.
“Our research has identified a series of four vulnerabilities that would enable a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines,” reads the report from Eclypsium.
Dell has already put out patches to mitigate the vulnerabilities.
Alluring target
According to Threatpost the bugs allow threat actors to circumvent the Secure Boot protections of the Dell devices, control its boot process, and subvert the operating system and higher-layer security controls.
The core vulnerability involves an insecure TLS connection between Dell and the BIOS on their devices. The report explains that thanks to the bug, the BIOSConnect TLS connection will accept “any valid wildcard certificate.”
This, the researchers note, effectively allows attackers to impersonate Dell and deliver any malicious content to the victim’s device.
The other three vulnerabilities are buffer overflow vulnerabilities, which are enabled by the exploited insecure TLS connection, and allow arbitrary code execution at the BIOS/Unified Extensible Firmware Interface (UEFI) level.
Eclypsium believes that the Dell vulnerabilities show that as vendors increasingly switch to over-the-air update processes, any unaddressed vulnerabilities in the mechanism can have serious consequences.
“This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future,” Eclypsium concludes
