A major security flaw in Dell’s firmware updating and operating recovery software, BIOSConnect, potentially exposes tens of millions of devices that Dell preinstalled it on.
BleepingComputer reported on Thursday that researchers with security firm Eclypsium discovered a flaw in BIOSConnect, which is part of Dell’s standard SupportAssist software and updates the firmware on a computer’s system board, that could allow attackers to remotely execute malicious code. In a report, the researchers wrote that the vulnerability was so severe it could “enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls,” which would give them control “over the most privileged code on the device.”
There are four separate vulnerabilities, one of which involves insecure connections between a BIOS being updated and Dell’s servers that allow an attacker to redirect the machine to a maliciously modified update package. The remaining three are classified as overflow vulnerabilities. Eclypsium rated the bugs as severe security threats.
Dell preinstalled the software on 129 different models of PC and laptop, with Eclypsium estimating around 30 million individual devices potentially vulnerable. According to ZDNet, Eclypsium first notified the manufacturer of the flaws in March 2021. The company has fixed two of the vulnerabilities on the server-side and released a fix for the remaining two, but it requires users to update the BIOS/UEFI on each device. The Eclypsium researchers recommended in the report that Dell users stop relying on the BIOSConnect software to apply firmware updates. (More info can be found in Dell’s advisory here.)
Fortunately, the researchers also noted that the attack would require redirecting a targeted machine’s traffic to servers hosting malware. That makes it unlikely to be used against random Dell users, but when it comes to large enterprises with “supply chain and support infrastructure” that’s of interest to hackers, the researchers wrote the “virtually unlimited control over a device that this attack can provide makes it worth the effort by the attacker.”
As BleepingComputer points out, security researchers have discovered several major flaws in Dell software in recent years, including in SupportAssist. Researcher Bill Demirkapi discovered a remote code execution vulnerability in the update software in 2019, while Dell patched a DLL search-order bug in 2020 that allowed the execution of arbitrary code. Other vulnerabilities have included a remote code execution bug in Dell System Detect in 2015 and a glitch in the DBUtil driver that could allow hackers to take over a machine patched last month.