Cybersecurity researchers disclosed a chain of vulnerabilities on the BIOSConnect within Dell Client BIOS. These vulnerabilities allow a privileged network adversary to launch arbitrary code execution at the BIOS/UEFI level by impersonating Dell.com. The vulnerabilities have given a cumulative CVSS score of 8.3 (High) because adversaries can control the device’s boot process and subvert the operating system and higher-layer security controls using these attacks. According to the research, these vulnerabilities affect 129 models (30 million devices across the globe), including consumer and business laptops, desktops, and tablets. Let’s see how attackers use the Dell BIOSConnect and HTTPS Boot vulnerabilities to compromise the Dell computers.
BIOSConnect is a feature of SupportAssist, a system health monitoring system used to monitor and troubleshoot when issues are found. Dell installs these utilities on the devices shipped with Windows OS to support their customers in case of any hardware/software issues.
Dell uses BIOSConnect to perform a remote OS recovery and update the firmware. Whenever the system needs a remote OS recovery or firmware upgrades, BIOSConnect enables the system’s BIOS to connect Dell backend services over the Internet and then helps in completing the OS recovery or firmware upgrades process.
“BIOSConnect provides a foundation platform allowing BIOS to connect to a Dell HTTPS backend and load an image via HTTPS method. This foundation expands the Serviceability feature set to enhance the on-box reliability experience by adding cloud-based Service OS (SOS) support.
BIOSConnect feature offers network-based SOS boot recovery capability by performing HTTP(s) download from the cloud to a local RAMDisk and transfers control to the downloaded Service OS image to perform the necessary corrective action. This enables the user to recover when the local HDD image is corrupted, replaced, or absent.”
Please check out how to set up and run BIOSConnect when the computer fails to boot into the Operating System (OS)?
Researchers have identified four vulnerabilities that enable an attacker to perform Remote Code Execution attacks (RCE) in the pre-boot environment by impersonating Dell.com. These attacks would allow the attacker to alter the initial state of an operating system, violate common assumptions on the hardware/firmware layers, and break OS-level security controls at the initial boot itself.
This vulnerability lets the BIOSConnect accept any valid wildcard certificate when it attempts to connect the Dell server over a secured TLS connection.
The certificate verification process is designed to verify the certificate by first retrieving the DNS record from the hardcoded google’s DNS server (8.8.8.8) then establish a connection to https://downloads.dell.com. However, the BIOSConnect is accepting any valid wildcard certificate issued by any of the built-in trusted CA’s of BIOSConnect to download the data to the system BIOS. This flaw allows an attacker to impersonate Dell and deliver malicious content to the victim device.
By exploiting the CVE-2021-21571 vulnerability, an attacker can impersonate dell and deliver the malicious content to the victim machine. The attacker can use the delivered malicious content to affect the OS recovery and firmware update process by exploiting the three vulnerabilities.
Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
CVE-2021-21571 | Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H |
CVE-2021-21572, CVE-2021-21573, CVE-2021-21574 | Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions. | 7.2 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
Table #1: Summary of the Dell BIOSConnect and HTTPS Boot Vulnerabilities
The actual process works like this:
Fig #1: Ideal process of BIOSConnect server communication.
BIOSConnect will request a secure HTTPS connection with the backend Dell server.
The Dell server will respond to the request with a TLS certificate.
BIOSConnect validates the certificate by first retrieving the DNS record from google’s DNS server (8.8.8.8).
Then BIOSConnect establishes a connection to the Dell server and downloads the data.
Let’s see how attackers exploits the vulnerabilities to alters the process:
Fig #2: Dell BIOSConnect and HTTPS Boot Vulnerability Attack
BIOSConnect requests a secure HTTPS connection with the backend Dell server.
The attacker intercepts the communication from BIOSConnect to the Dell server using the machine in the middle techniques.
Then attacker responds to the BIOSConnect request with a tampered response along with a wild card certificate.
The CVE-2021-21571 vulnerability makes BIOSConnect accepts the attacker’s request and certificate and establishes the communication with the impersonated Dell server.
BIOSConnect will download the malicious data from the impersonated attacker’s Dell server.
The attacker uses the data to affect the OS recovery and firmware update process by exploiting the CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574 vulnerabilities.
On research, Dell initially discovered the Dell BIOSConnect and HTTPS Boot Vulnerabilitieson on a Dell Secured-core PC Latitude 5310 using Secure Boot. Later found on 129 products. Here is the comprehensive list of products affected, minimum BIOS version required to be secured, BIOSConnect & HTTPS Boot support, and release date.
Product | BIOS Update Version (or greater) | Supports BIOSConnect | Supports HTTP(s) Boot | Release Date (MM/DD/YYYY) Expected Release (Month /YYYY) |
Alienware m15 R6 | 1.3.3 | Yes | Yes | 6/21/2021 |
ChengMing 3990 | 1.4.1 | Yes | No | 6/23/2021 |
ChengMing 3991 | 1.4.1 | Yes | No | 6/23/2021 |
Dell G15 5510 | 1.4.0 | Yes | Yes | 6/21/2021 |
Dell G15 5511 | 1.3.3 | Yes | Yes | 6/21/2021 |
Dell G3 3500 | 1.9.0 | Yes | No | 6/24/2021 |
Dell G5 5500 | 1.9.0 | Yes | No | 6/24/2021 |
Dell G7 7500 | 1.9.0 | Yes | No | 6/23/2021 |
Dell G7 7700 | 1.9.0 | Yes | No | 6/23/2021 |
Inspiron 14 5418 | 2.1.0 A06 | Yes | Yes | 6/24/2021 |
Inspiron 15 5518 | 2.1.0 A06 | Yes | Yes | 6/24/2021 |
Inspiron 15 7510 | 1.0.4 | Yes | Yes | 6/23/2021 |
Inspiron 3501 | 1.6.0 | Yes | No | 6/23/2021 |
Inspiron 3880 | 1.4.1 | Yes | No | 6/23/2021 |
Inspiron 3881 | 1.4.1 | Yes | No | 6/23/2021 |
Inspiron 3891 | 1.0.11 | Yes | Yes | 6/24/2021 |
Inspiron 5300 | 1.7.1 | Yes | No | 6/23/2021 |
Inspiron 5301 | 1.8.1 | Yes | No | 6/23/2021 |
Inspiron 5310 | 2.1.0 | Yes | Yes | 6/23/2021 |
Inspiron 5400 2n1 | 1.7.0 | Yes | No | 6/23/2021 |
Inspiron 5400 AIO | 1.4.0 | Yes | No | 6/23/2021 |
Inspiron 5401 | 1.7.2 | Yes | No | 6/23/2021 |
Inspiron 5401 AIO | 1.4.0 | Yes | No | 6/23/2021 |
Inspiron 5402 | 1.5.1 | Yes | No | 6/23/2021 |
Inspiron 5406 2n1 | 1.5.1 | Yes | No | 6/23/2021 |
Inspiron 5408 | 1.7.2 | Yes | No | 6/23/2021 |
Inspiron 5409 | 1.5.1 | Yes | No | 6/23/2021 |
Inspiron 5410 2-in-1 | 2.1.0 | Yes | Yes | 6/23/2021 |
Inspiron 5501 | 1.7.2 | Yes | No | 6/23/2021 |
Inspiron 5502 | 1.5.1 | Yes | No | 6/23/2021 |
Inspiron 5508 | 1.7.2 | Yes | No | 6/23/2021 |
Inspiron 5509 | 1.5.1 | Yes | No | 6/23/2021 |
Inspiron 7300 | 1.8.1 | Yes | No | 6/23/2021 |
Inspiron 7300 2n1 | 1.3.0 | Yes | No | 6/23/2021 |
Inspiron 7306 2n1 | 1.5.1 | Yes | No | 6/23/2021 |
Inspiron 7400 | 1.8.1 | Yes | No | 6/23/2021 |
Inspiron 7500 | 1.8.0 | Yes | No | 6/23/2021 |
Inspiron 7500 2n1 – Black | 1.3.0 | Yes | No | 6/23/2021 |
Inspiron 7500 2n1 – Silver | 1.3.0 | Yes | No | 6/23/2021 |
Inspiron 7501 | 1.8.0 | Yes | No | 6/23/2021 |
Inspiron 7506 2n1 | 1.5.1 | Yes | No | 6/23/2021 |
Inspiron 7610 | 1.0.4 | Yes | Yes | 6/23/2021 |
Inspiron 7700 AIO | 1.4.0 | Yes | No | 6/23/2021 |
Inspiron 7706 2n1 | 1.5.1 | Yes | No | 6/23/2021 |
Latitude 3120 | 1.1.0 | Yes | No | 6/23/2021 |
Latitude 3320 | 1.4.0 | Yes | Yes | 6/23/2021 |
Latitude 3410 | 1.9.0 | Yes | No | 6/23/2021 |
Latitude 3420 | 1.8.0 | Yes | No | 6/23/2021 |
Latitude 3510 | 1.9.0 | Yes | No | 6/23/2021 |
Latitude 3520 | 1.8.0 | Yes | No | 6/23/2021 |
Latitude 5310 | 1.7.0 | Yes | No | 6/24/2021 |
Latitude 5310 2 in 1 | 1.7.0 | Yes | No | 6/24/2021 |
Latitude 5320 | 1.7.1 | Yes | Yes | 6/21/2021 |
Latitude 5320 2-in-1 | 1.7.1 | Yes | Yes | 6/21/2021 |
Latitude 5410 | 1.6.0 | Yes | No | 6/23/2021 |
Latitude 5411 | 1.6.0 | Yes | No | 6/23/2021 |
Latitude 5420 | 1.8.0 | Yes | Yes | 6/22/2021 |
Latitude 5510 | 1.6.0 | Yes | No | 6/23/2021 |
Latitude 5511 | 1.6.0 | Yes | No | 6/23/2021 |
Latitude 5520 | 1.7.1 | Yes | Yes | 6/21/2021 |
Latitude 5521 | 1.3.0 A03 | Yes | Yes | 6/22/2021 |
Latitude 7210 2-in-1 | 1.7.0 | Yes | No | 6/23/2021 |
Latitude 7310 | 1.7.0 | Yes | No | 6/23/2021 |
Latitude 7320 | 1.7.1 | Yes | Yes | 6/23/2021 |
Latitude 7320 Detachable | 1.4.0 A04 | Yes | Yes | 6/22/2021 |
Latitude 7410 | 1.7.0 | Yes | No | 6/23/2021 |
Latitude 7420 | 1.7.1 | Yes | Yes | 6/23/2021 |
Latitude 7520 | 1.7.1 | Yes | Yes | 6/23/2021 |
Latitude 9410 | 1.7.0 | Yes | No | 6/23/2021 |
Latitude 9420 | 1.4.1 | Yes | Yes | 6/23/2021 |
Latitude 9510 | 1.6.0 | Yes | No | 6/23/2021 |
Latitude 9520 | 1.5.2 | Yes | Yes | 6/23/2021 |
Latitude 5421 | 1.3.0 A03 | Yes | Yes | 6/22/2021 |
OptiPlex 3080 | 2.1.1 | Yes | No | 6/23/2021 |
OptiPlex 3090 UFF | 1.2.0 | Yes | Yes | 6/23/2021 |
OptiPlex 3280 All-in-One | 1.7.0 | Yes | No | 6/23/2021 |
OptiPlex 5080 | 1.4.0 | Yes | No | 6/23/2021 |
OptiPlex 5090 Tower | 1.1.35 | Yes | Yes | 6/23/2021 |
OptiPlex 5490 AIO | 1.3.0 | Yes | Yes | 6/24/2021 |
OptiPlex 7080 | 1.4.0 | Yes | No | 6/23/2021 |
OptiPlex 7090 Tower | 1.1.35 | Yes | Yes | 6/23/2021 |
OptiPlex 7090 UFF | 1.2.0 | Yes | Yes | 6/23/2021 |
OptiPlex 7480 All-in-One | 1.7.0 | Yes | No | 6/23/2021 |
OptiPlex 7490 All-in-One | 1.3.0 | Yes | Yes | 6/24/2021 |
OptiPlex 7780 All-in-One | 1.7.0 | Yes | No | 6/23/2021 |
Precision 17 M5750 | 1.8.2 | Yes | No | 6/9/2021 |
Precision 3440 | 1.4.0 | Yes | No | 6/23/2021 |
Precision 3450 | 1.1.35 | Yes | Yes | 6/24/2021 |
Precision 3550 | 1.6.0 | Yes | No | 6/23/2021 |
Precision 3551 | 1.6.0 | Yes | No | 6/23/2021 |
Precision 3560 | 1.7.1 | Yes | Yes | 6/21/2021 |
Precision 3561 | 1.3.0 A03 | Yes | Yes | 6/22/2021 |
Precision 3640 | 1.6.2 | Yes | No | 6/23/2021 |
Precision 3650 MT | 1.2.0 | Yes | Yes | 6/24/2021 |
Precision 5550 | 1.8.1 | Yes | No | 6/23/2021 |
Precision 5560 | 1.3.2 | Yes | Yes | 6/23/2021 |
Precision 5760 | 1.1.3 | Yes | Yes | 6/16/2021 |
Precision 7550 | 1.8.0 | Yes | No | 6/23/2021 |
Precision 7560 | 1.1.2 | Yes | Yes | 6/22/2021 |
Precision 7750 | 1.8.0 | Yes | No | 6/23/2021 |
Precision 7760 | 1.1.2 | Yes | Yes | 6/22/2021 |
Vostro 14 5410 | 2.1.0 A06 | Yes | Yes | 6/24/2021 |
Vostro 15 5510 | 2.1.0 A06 | Yes | Yes | 6/24/2021 |
Vostro 15 7510 | 1.0.4 | Yes | Yes | 6/23/2021 |
Vostro 3400 | 1.6.0 | Yes | No | 6/23/2021 |
Vostro 3500 | 1.6.0 | Yes | No | 6/23/2021 |
Vostro 3501 | 1.6.0 | Yes | No | 6/23/2021 |
Vostro 3681 | 2.4.0 | Yes | No | 6/23/2021 |
Vostro 3690 | 1.0.11 | Yes | Yes | 6/24/2021 |
Vostro 3881 | 2.4.0 | Yes | No | 6/23/2021 |
Vostro 3888 | 2.4.0 | Yes | No | 6/23/2021 |
Vostro 3890 | 1.0.11 | Yes | Yes | 6/24/2021 |
Vostro 5300 | 1.7.1 | Yes | No | 6/23/2021 |
Vostro 5301 | 1.8.1 | Yes | No | 6/23/2021 |
Vostro 5310 | 2.1.0 | Yes | Yes | 6/23/2021 |
Vostro 5401 | 1.7.2 | Yes | No | 6/23/2021 |
Vostro 5402 | 1.5.1 | Yes | No | 6/23/2021 |
Vostro 5501 | 1.7.2 | Yes | No | 6/23/2021 |
Vostro 5502 | 1.5.1 | Yes | No | 6/23/2021 |
Vostro 5880 | 1.4.0 | Yes | No | 6/23/2021 |
Vostro 5890 | 1.0.11 | Yes | Yes | 6/24/2021 |
Vostro 7500 | 1.8.0 | Yes | No | 6/23/2021 |
XPS 13 9305 | 1.0.8 | Yes | No | 6/23/2021 |
XPS 13 2in1 9310 | 2.3.3 | Yes | No | 6/23/2021 |
XPS 13 9310 | 3.0.0 | Yes | No | 6/24/2021 |
XPS 15 9500 | 1.8.1 | Yes | No | 6/23/2021 |
XPS 15 9510 | 1.3.2 | Yes | Yes | 6/23/2021 |
XPS 17 9700 | 1.8.2 | Yes | No | 6/9/2021 |
XPS 17 9710 | 1.1.3 | Yes | Yes | 6/15/2021 |
Table #2 Affected with the Dell BIOSConnect and HTTPS Boot Vulnerabilities
Thanks for reading this post. Please share this information with one who owns the Dell computer and make them aware.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.