Cybersecurity experts at Eclypsium have found a way to secretly exploit a collection of critical vulnerabilities found on millions of Dell computers, from desktops to laptops and tablets.
Discovered back in March, the problem concerns 129 models of Dell devices intended for both regular and corporate users. The threat is also relevant for computers with the Secured-core PC protection system developed by Microsoft. According to the report published by Eclypsium, we are talking about about 30 million computers. The company, in turn, released software “patches” to eliminate the discovered vulnerabilities, noting that the problem is critical.
Dell has released fixes for at least four vulnerabilities discovered by Eclypsium experts Mickey Shkatov and Jesse Michael. Also, at the Def Con security conference, they intend to discuss the discovered security holes and the possible consequences of their use.
Experts uncover vulnerabilities in millions of Dell computers
The vulnerabilities found relate to the BIOSConnect feature in the Dell Client BIOS. According to experts, the problem allows an attacker to impersonate a Dell information system and gain the ability to execute arbitrary code at the BIOS / UEFI level of the infected device. The study found that such an attack could control the boot process and damage the operating system and higher-level security systems.
“These vulnerabilities are on easy mode to exploit. It’s essentially like traveling back in time—it’s almost like the ’90s again,” says Jesse Michael, principal analyst at Eclypsium. “The industry has achieved all this maturity of security features in application and operating system-level code, but they’re not following best practices in new firmware security features.”
An attacker could exploit vulnerabilities to remotely execute code in a preboot environment. By changing the initial state of the operating system; an attacker is able to bypass security systems at the OS level. The problematic BIOSConnect feature is part of the SupportAssist update method; used to download legitimate Dell updates and manage computers remotely.
In addition, Dell SupportAssist comes preinstalled on most Dell Windows PCs. This, for example, allows the employer to remotely restore the system on the employee’s computer.
Vulnerabilities CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574 provide attackers with insecure connections and launching malware. Dell PC owners should disable the BIOSConnect feature prior to receiving a new patch. Also, for more information on the vulnerabilities, visit the Dell website.
“This is an attack that lets an attacker go directly to the BIOS;” the fundamental firmware used in the boot process, says Eclypsium researcher Scott Scheferman. “Before the operating system even boots and is aware of what’s going on, the attack has already happened. It’s an evasive and powerful vulnerabilities for an attacker that wants persistence.”