Dude! You're getting pwned! [Dell remote exploit security issues]

[justpoet]

Summary

Dell does it again, with yet another poorly done set of bloatware SupportAssist software bugs.  BUT WAIT!  THERE'S MORE!  This time though, they also are known to have screwed up their UEFI BIOS firmware so it is remotely exploitable to install/change the firmware too!

 

This affects over 30 million PCs and 120+ model lines (see end of Dell support link below for the list), including Alienware, XPS, Latitude, Inspiron, etc.

 

Quotes

Quote

"The specific vulnerabilities covered here allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device," the researchers concluded.

 

Quote

"This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future, and organizations should make sure to monitor and update their devices accordingly."

 

Quote

"Such an attack would enable adversaries to control the device's boot process and subvert the operating system and higher-layer security controls"

 

Quote

"All three vulnerabilities are independent, and each one could lead to arbitrary code execution in BIOS."

 

Quote

"CVE-2021-21573 and CVE-2021-21574 don't require require additional customer action as they were addressed server side on May 28, 2021. However, the CVE-2021-21571 and CVE-2021-21572 vulnerabilities require Dell Client BIOS updates to be fully addressed."

 

Quote

"The researchers also recommend using an alternate method other than the SupportAssist's BIOSConnect feature to apply BIOS updates on their devices."

 

My thoughts

UPDATE YOUR BIOS/Firmware MANUALLY if you have an affected Dell with updates!  These vulnerabilities affect the auto-update chain as well with the various Dell automatic options.  Affected systems that are still semi-supported will have updated BIOS/UEFI downloads available on Dell.com.

 

While every company is going to make security mistakes, Dell seems to be really good at doing them often in serious ways.  While this doesn't affect a lot of those on LTT who likely are building their own systems, many folks around here also are in charge of fleets or maintaining systems for others, which very well may be Dell.

 

Sources

https://www.bleepingcomputer.com/news/security/dell-supportassist-bugs-put-over-30-million-pcs-at-risk/

https://www.dell.com/support/kbdoc/000188682

http://www.eclypsium.com/2021/06/24/biosdisconnect/

Edited June 28, 2021 by justpoet
Added more descriptive title at end since not everybody remembers "Dude! You're getting a Dell!" commercials.

[Senzelian]

Could you please use a different title? This seems a little too clickbaity for my taste.

[GDRRiley]

2 minutes ago, Senzelian said:

Could you please use a different title? This seems a little too clickbaity for my taste.

its an old joke, on the dude you're getting a dell

[Senzelian]

Just now, GDRRiley said:

its an old joke, on the dude you're getting a dell

Ohhhhhh. Okay. 

But maybe he could add something like "(Dell security issue)" or something, cause I would've never guessed that  

[orbitalbuzzsaw]

Dell does it again

[Fasterthannothing]

[StDragon]

Read the DSA-2021-106

 

Quote

Exploiting the chain requires additional steps:

• To exploit the vulnerability chain in BIOSConnect, a malicious actor must separately perform additional steps before a successful exploit, including: compromise a user’s network, obtain a certificate that is trusted by one of the Dell UEFI BIOS https stack’s built-in Certificate Authorities, and wait for a user who is physically present at the system to use the BIOSConnect feature.
• To exploit the vulnerability in HTTPS Boot, a malicious actor must separately perform additional steps before a successful exploit, including: compromise a user’s network, obtain a certificate that is trusted by one of the Dell UEFI BIOS https stack’s built-in Certificate Authorities, and wait for a user who is physically present at the system to change the boot order and use the HTTPS Boot feature.

Basically a certain set of conditions have to occur for this to be a viable exploit. This is more of a problem for the enterprise than a home user. It's still bad though.

 

Quote

Customers should also enable platform security features such as Secure Boot (enabled by default for Dell platforms with Windows) and BIOS Admin Password for added protection.

Note: If Secure Boot is disabled, it may impact the potential severity that is associated with the CVE-2021-21571 security vulnerability.

 

[leadeater]

23 minutes ago, StDragon said:

This is more of a problem for the enterprise than a home user.

Never been a fan of Dell desktop systems anyway, their consumer models look even worse but that's not really applicable here? All these system management software/tools etc have basically only ever resulted in this crap. I never found the HP command line utilities for applying BIOS settings and firmware updates that hard and you didn't have to install them at all anyway, I'm sure Dell equivalents exist rather than this method.

 

Can this whole BIOSConnect thing be disabled outright?

[James5382]

Quote

"All three vulnerabilities are independent, and each one could lead to arbitrary code execution in BIOS."

This is pretty bad. Even worse is this is where buying the extended warranty and support gets you.

 

[StDragon]

50 minutes ago, leadeater said:

Can this whole BIOSConnect thing be disabled outright?

Yes.

 

Within the new UEFI BIOS for applicable systems, you navigate to the following menu in BIOS

 

SupportAssist --> uncheck box next to "Enable BIOSConnect". Press the Apply button at the bottom.

That should be it.

[jagdtigger]

*sigh* Remind me why the BIOS has to be accessible from the OS? (And drop the usual lazy bum excuses.)

[Kisai]

20 hours ago, leadeater said:

 

Can this whole BIOSConnect thing be disabled outright?

yep.

 

It's only a new feature (eg a Precision 7700/7710/7720/5510/5520 do not have it), and thus you'll only see it in the last 3 models of laptops, which would have 8th, 9th, 10th gen, (and presumably 11th gen) intel chips. If you've updated the bios on the 00/10/20 models of above it might unlock that option in the bios menu, it'll be like the last or second last menu tree on the grey GUI bios. The touch screen BIOS looks completely different and I couldn't describe it off hand.

 

That said, as a matter of personal policy, I always turned it off on laptops because the last thing I want is the user to try and "recover" the laptop and they end up wiping the laptop and installing Dell's OS image instead of the image the company wants installed. Also any time I used SupportAssist or Dell Command Update (latter is preferred), I would uninstall it later to avoid the user installing dell's updates on a stable setup. I have never had a support issue regarding either, but "Dell Command Update" is far more usable than SupportAssist's method of updating drivers, with SA often having issues with multi-stage install's such as realtek audio. DCUpdate one-shot downloads everything, and then attempts to install.

 

Which again, the BIOSConnect feature is something that I only started seeing on the 5530's and latitude 7x90's with have 8th gen cpu's. I don't think it requires any special hardware feature, it's likely just the firmware chip size.

 

[CarlBar]

On 6/28/2021 at 8:26 PM, SlidewaysZ said:

RIP, source of so many memes.

 

Also WTH Dell?