Table of Contents
  • Home
  • /
  • Blog
  • /
  • How Attackers Abuse The Dell BIOSConnect And HTTPS Boot Vulnerabilities To Compromise The Dell Computers?
June 25, 2021
|
10m

How Attackers Abuse The Dell BIOSConnect And HTTPS Boot Vulnerabilities To Compromise The Dell Computers?


How Attackers Abuse The Dell Biosconnect And Https Boot Vulnerabilities To Compromise The Dell Computers

Cybersecurity researchers disclosed a chain of vulnerabilities on the BIOSConnect within Dell Client BIOS. These vulnerabilities allow a privileged network adversary to launch arbitrary code execution at the BIOS/UEFI level by impersonating Dell.com. The vulnerabilities have given a cumulative CVSS score of 8.3 (High) because adversaries can control the device’s boot process and subvert the operating system and higher-layer security controls using these attacks. According to the research, these vulnerabilities affect 129 models (30 million devices across the globe), including consumer and business laptops, desktops, and tablets. Let’s see how attackers use the Dell BIOSConnect and HTTPS Boot vulnerabilities to compromise the Dell computers.

What is BIOS Connect?

BIOSConnect is a feature of SupportAssist, a system health monitoring system used to monitor and troubleshoot when issues are found. Dell installs these utilities on the devices shipped with Windows OS to support their customers in case of any hardware/software issues.

Dell uses BIOSConnect to perform a remote OS recovery and update the firmware. Whenever the system needs a remote OS recovery or firmware upgrades, BIOSConnect enables the system’s BIOS to connect Dell backend services over the Internet and then helps in completing the OS recovery or firmware upgrades process.

“BIOSConnect provides a foundation platform allowing BIOS to connect to a Dell HTTPS backend and load an image via HTTPS method. This foundation expands the Serviceability feature set to enhance the on-box reliability experience by adding cloud-based Service OS (SOS) support.
BIOSConnect feature offers network-based SOS boot recovery capability by performing HTTP(s) download from the cloud to a local RAMDisk and transfers control to the downloaded Service OS image to perform the necessary corrective action. This enables the user to recover when the local HDD image is corrupted, replaced, or absent.”

Please check out how to set up and run BIOSConnect when the computer fails to boot into the Operating System (OS)?

Summary Of The Dell BIOSConnect And HTTPS Boot Vulnerabilities:

Researchers have identified four vulnerabilities that enable an attacker to perform Remote Code Execution attacks (RCE) in the pre-boot environment by impersonating Dell.com. These attacks would allow the attacker to alter the initial state of an operating system, violate common assumptions on the hardware/firmware layers, and break OS-level security controls at the initial boot itself.

CVE-2021-21571: Insecure TLS Connection From BIOS to Dell

This vulnerability lets the BIOSConnect accept any valid wildcard certificate when it attempts to connect the Dell server over a secured TLS connection.

The certificate verification process is designed to verify the certificate by first retrieving the DNS record from the hardcoded google’s DNS server (8.8.8.8) then establish a connection to https://downloads.dell.com. However, the BIOSConnect is accepting any valid wildcard certificate issued by any of the built-in trusted CA’s of BIOSConnect to download the data to the system BIOS. This flaw allows an attacker to impersonate Dell and deliver malicious content to the victim device.

CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574: Buffer Overflow Vulnerabilities Enable Arbitrary Code Execution

By exploiting the CVE-2021-21571 vulnerability, an attacker can impersonate dell and deliver the malicious content to the victim machine. The attacker can use the delivered malicious content to affect the OS recovery and firmware update process by exploiting the three vulnerabilities.

Proprietary Code CVEsDescriptionCVSS Base ScoreCVSS Vector String
CVE-2021-21571Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering.5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
CVE-2021-21572,
CVE-2021-21573,
CVE-2021-21574
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.7.2CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Table #1: Summary of the Dell BIOSConnect and HTTPS Boot Vulnerabilities

How Attackers Use Rhe Dell BIOSConnect And HTTPS Boot Vulnerabilities To Compromise The Device?

The actual process works like this:

Fig #1: Ideal process of BIOSConnect server communication.

  1. BIOSConnect will request a secure HTTPS connection with the backend Dell server.

  2. The Dell server will respond to the request with a TLS certificate.

  3. BIOSConnect validates the certificate by first retrieving the DNS record from google’s DNS server (8.8.8.8).

  4. Then BIOSConnect establishes a connection to the Dell server and downloads the data.

Let’s see how attackers exploits the vulnerabilities to alters the process:

Fig #2: Dell BIOSConnect and HTTPS Boot Vulnerability Attack

  1. BIOSConnect requests a secure HTTPS connection with the backend Dell server.

  2. The attacker intercepts the communication from BIOSConnect to the Dell server using the machine in the middle techniques.

  3. Then attacker responds to the BIOSConnect request with a tampered response along with a wild card certificate.

  4. The CVE-2021-21571 vulnerability makes BIOSConnect accepts the attacker’s request and certificate and establishes the communication with the impersonated Dell server.

  5. BIOSConnect will download the malicious data from the impersonated attacker’s Dell server.

  6. The attacker uses the data to affect the OS recovery and firmware update process by exploiting the CVE-2021-21572,  CVE-2021-21573, and  CVE-2021-21574 vulnerabilities.

List Of Affected Devices To The Dell BIOSConnect And HTTPS Boot Vulnerabilities:

On research, Dell initially discovered the Dell BIOSConnect and HTTPS Boot Vulnerabilitieson on a Dell Secured-core PC Latitude 5310 using Secure Boot. Later found on 129 products. Here is the comprehensive list of products affected, minimum BIOS version required to be secured, BIOSConnect & HTTPS Boot support, and release date. 

ProductBIOS Update Version
(or greater)
Supports BIOSConnectSupports HTTP(s) BootRelease Date (MM/DD/YYYY)
Expected Release (Month /YYYY)
Alienware m15 R61.3.3YesYes6/21/2021
ChengMing 39901.4.1YesNo6/23/2021
ChengMing 39911.4.1YesNo6/23/2021
Dell G15 55101.4.0YesYes6/21/2021
Dell G15 55111.3.3YesYes6/21/2021
Dell G3 35001.9.0YesNo6/24/2021
Dell G5 55001.9.0YesNo6/24/2021
Dell G7 75001.9.0YesNo6/23/2021
Dell G7 77001.9.0YesNo6/23/2021
Inspiron 14 54182.1.0 A06YesYes6/24/2021
Inspiron 15 55182.1.0 A06YesYes6/24/2021
Inspiron 15 75101.0.4YesYes6/23/2021
Inspiron 35011.6.0YesNo6/23/2021
Inspiron 38801.4.1YesNo6/23/2021
Inspiron 38811.4.1YesNo6/23/2021
Inspiron 38911.0.11YesYes6/24/2021
Inspiron 53001.7.1YesNo6/23/2021
Inspiron 53011.8.1YesNo6/23/2021
Inspiron 53102.1.0YesYes6/23/2021
Inspiron 5400 2n11.7.0YesNo6/23/2021
Inspiron 5400 AIO1.4.0YesNo6/23/2021
Inspiron 54011.7.2YesNo6/23/2021
Inspiron 5401 AIO1.4.0YesNo6/23/2021
Inspiron 54021.5.1YesNo6/23/2021
Inspiron 5406 2n11.5.1YesNo6/23/2021
Inspiron 54081.7.2YesNo6/23/2021
Inspiron 54091.5.1YesNo6/23/2021
Inspiron 5410 2-in-12.1.0YesYes6/23/2021
Inspiron 55011.7.2YesNo6/23/2021
Inspiron 55021.5.1YesNo6/23/2021
Inspiron 55081.7.2YesNo6/23/2021
Inspiron 55091.5.1YesNo6/23/2021
Inspiron 73001.8.1YesNo6/23/2021
Inspiron 7300 2n11.3.0YesNo6/23/2021
Inspiron 7306 2n11.5.1YesNo6/23/2021
Inspiron 74001.8.1YesNo6/23/2021
Inspiron 75001.8.0YesNo6/23/2021
Inspiron 7500 2n1 – Black1.3.0YesNo6/23/2021
Inspiron 7500 2n1 – Silver1.3.0YesNo6/23/2021
Inspiron 75011.8.0YesNo6/23/2021
Inspiron 7506 2n11.5.1YesNo6/23/2021
Inspiron 76101.0.4YesYes6/23/2021
Inspiron 7700 AIO1.4.0YesNo6/23/2021
Inspiron 7706 2n11.5.1YesNo6/23/2021
Latitude 31201.1.0YesNo6/23/2021
Latitude 33201.4.0YesYes6/23/2021
Latitude 34101.9.0YesNo6/23/2021
Latitude 34201.8.0YesNo6/23/2021
Latitude 35101.9.0YesNo6/23/2021
Latitude 35201.8.0YesNo6/23/2021
Latitude 53101.7.0YesNo6/24/2021
Latitude 5310 2 in 11.7.0YesNo6/24/2021
Latitude 53201.7.1YesYes6/21/2021
Latitude 5320 2-in-11.7.1YesYes6/21/2021
Latitude 54101.6.0YesNo6/23/2021
Latitude 54111.6.0YesNo6/23/2021
Latitude 54201.8.0YesYes6/22/2021
Latitude 55101.6.0YesNo6/23/2021
Latitude 55111.6.0YesNo6/23/2021
Latitude 55201.7.1YesYes6/21/2021
Latitude 55211.3.0 A03YesYes6/22/2021
Latitude 7210 2-in-11.7.0YesNo6/23/2021
Latitude 73101.7.0YesNo6/23/2021
Latitude 73201.7.1YesYes6/23/2021
Latitude 7320 Detachable1.4.0 A04YesYes6/22/2021
Latitude 74101.7.0YesNo6/23/2021
Latitude 74201.7.1YesYes6/23/2021
Latitude 75201.7.1YesYes6/23/2021
Latitude 94101.7.0YesNo6/23/2021
Latitude 94201.4.1YesYes6/23/2021
Latitude 95101.6.0YesNo6/23/2021
Latitude 95201.5.2YesYes6/23/2021
Latitude 54211.3.0 A03YesYes6/22/2021
OptiPlex 30802.1.1YesNo6/23/2021
OptiPlex 3090 UFF1.2.0YesYes6/23/2021
OptiPlex 3280 All-in-One1.7.0YesNo6/23/2021
OptiPlex 50801.4.0YesNo6/23/2021
OptiPlex 5090 Tower1.1.35YesYes6/23/2021
OptiPlex 5490 AIO1.3.0YesYes6/24/2021
OptiPlex 70801.4.0YesNo6/23/2021
OptiPlex 7090 Tower1.1.35YesYes6/23/2021
OptiPlex 7090 UFF1.2.0YesYes6/23/2021
OptiPlex 7480 All-in-One1.7.0YesNo6/23/2021
OptiPlex 7490 All-in-One1.3.0YesYes6/24/2021
OptiPlex 7780 All-in-One1.7.0YesNo6/23/2021
Precision 17 M57501.8.2YesNo6/9/2021
Precision 34401.4.0YesNo6/23/2021
Precision 34501.1.35YesYes6/24/2021
Precision 35501.6.0YesNo6/23/2021
Precision 35511.6.0YesNo6/23/2021
Precision 35601.7.1YesYes6/21/2021
Precision 35611.3.0 A03YesYes6/22/2021
Precision 36401.6.2YesNo6/23/2021
Precision 3650 MT1.2.0YesYes6/24/2021
Precision 55501.8.1YesNo6/23/2021
Precision 55601.3.2YesYes6/23/2021
Precision 57601.1.3YesYes6/16/2021
Precision 75501.8.0YesNo6/23/2021
Precision 75601.1.2YesYes6/22/2021
Precision 77501.8.0YesNo6/23/2021
Precision 77601.1.2YesYes6/22/2021
Vostro 14 54102.1.0 A06YesYes6/24/2021
Vostro 15 55102.1.0 A06YesYes6/24/2021
Vostro 15 75101.0.4YesYes6/23/2021
Vostro 34001.6.0YesNo6/23/2021
Vostro 35001.6.0YesNo6/23/2021
Vostro 35011.6.0YesNo6/23/2021
Vostro 36812.4.0YesNo6/23/2021
Vostro 36901.0.11YesYes6/24/2021
Vostro 38812.4.0YesNo6/23/2021
Vostro 38882.4.0YesNo6/23/2021
Vostro 38901.0.11YesYes6/24/2021
Vostro 53001.7.1YesNo6/23/2021
Vostro 53011.8.1YesNo6/23/2021
Vostro 53102.1.0YesYes6/23/2021
Vostro 54011.7.2YesNo6/23/2021
Vostro 54021.5.1YesNo6/23/2021
Vostro 55011.7.2YesNo6/23/2021
Vostro 55021.5.1YesNo6/23/2021
Vostro 58801.4.0YesNo6/23/2021
Vostro 58901.0.11YesYes6/24/2021
Vostro 75001.8.0YesNo6/23/2021
XPS  13 93051.0.8YesNo6/23/2021
XPS 13 2in1  93102.3.3YesNo6/23/2021
XPS 13 93103.0.0YesNo6/24/2021
XPS 15 95001.8.1YesNo6/23/2021
XPS 15 95101.3.2YesYes6/23/2021
XPS 17 97001.8.2YesNo6/9/2021
XPS 17 97101.1.3YesYes6/15/2021

Table #2 Affected with the Dell BIOSConnect and HTTPS Boot Vulnerabilities

 Thanks for reading this post. Please share this information with one who owns the Dell computer and make them aware.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe