Dell SecureAssist contained RCE bug that allowed rogues to remotely reflash your BIOS with the code you created • The Register



A chain of four vulnerabilities in the Dell SupportAssist remote firmware update utility could allow malicious individuals to run arbitrary code on as many as 129 different PCs and laptops – while posing as Dell to remotely upload a compromised BIOS.

A remote BIOS relasher, which is integrated into the pre-installed Dell support tool SupportAssist, accepts “any valid wildcard certificate” from a predefined list of certification authorities, giving attackers an important hold deep inside the target computers – even though Dell insists that the exploit is only possible if a logged-in user runs the SupportAssist utility and in combination with a man-in-the-middle attack.

The four chained bugs vulnerabilities have a combined CVSSv3.1 score of 8.1 and allow remote code execution at an early stage of the boot of a vulnerable system by authenticated attackers. Updates to SupportAssist are available from Dell to mitigate the vulnerabilities that Infosec firm Eclypsium estimates to affect approximately 30 million laptops and PCs.

The company that blogged about it The Vulnerabilities, said: “Such code can alter the initial state of an operating system, violate general assumptions about the hardware / firmware layers and break security controls at the operating system level.”

The Wildcard-Cert-Vuln (CVE-2021-21571) was created because a SupportAssist function called BIOSConnect did not correctly validate the TLS certificate for after a DNS search for this domain via Google DNS server was carried out. BIOSConnect would accept any wildcard certificate from a list of certification authorities as valid, rather than the actual certificate for the Dell download site, Eclypsium said.

“If UEFI Secure Boot is disabled, this vulnerability can be used to achieve any remote code execution in the UEFI / pre-boot environment on the client device,” the company continues.

More details on the other three vulnerabilities, which Dell and Eclypsium shyly refer to as “a buffer overflow”, will be revealed at Def Con. When tracked CVE-2021-21572 through -21574, these were cumulatively rated 7.2 on the CVSSv3.1 scale. CVE-2021-21573 and CVE-2021-21574 were both “fixed on the server side” and “do not require additional customer action”, according to Dell.

Dell was less than enthusiastic about the wording of its note on the flaws, although it did confirm that it had been working with Eclypsium as of March, well before it was released.

“In order to exploit the chain of vulnerabilities in BIOSConnect, a malicious actor must take additional steps separately before a successful exploit, including: compromising a user’s network, obtaining a certificate that is trusted by one of the built-in certification authorities of the Dell UEFI BIOS https stack and wait for a user who is physically present on the system to use the BIOSConnect function. ” sniffed an unimpressed Dell.

Eclypsium agreed, saying, “An attack scenario would require an attacker to redirect the victim’s traffic, for example through a machine-in-the-middle (MITM) attack.”

Bharat Jogi, Qualys senior manager, Vulnerability and Threat Research, commented, “The four vulnerabilities on Dell devices are very worrying. The BIOS is critical to a device startup process and its security is critical to keeping the entire device safe. This is especially important in the current environment due to the increasing wave of supply chain attacks. This chain of vulnerabilities allows Secure Boot protection to be bypassed, can be exploited to gain complete control of the device, and so companies should prioritize patching. “

If you’re tired of upgrading SecureAssist, an effective workaround, according to Dell, is to simply delete the utility. ®



Leave A Reply