Skip to main content

Cybersecurity researchers disclosed a chain of vulnerabilities on the BIOSConnect within Dell Client BIOS. These vulnerabilities allow a privileged network adversary to launch arbitrary code execution at the BIOS/UEFI level by impersonating Dell.com. The vulnerabilities have given a cumulative CVSS score of 8.3 (High) because adversaries can control the device’s boot process and subvert the operating system and higher-layer security controls using these attacks. According to the research, these vulnerabilities affect 129 models (30 million devices across the globe), including consumer and business laptops, desktops, and tablets. Let’s see how attackers use the Dell BIOSConnect and HTTPS Boot vulnerabilities to compromise the Dell computers.

What is BIOS Connect?

BIOSConnect is a feature of SupportAssist, a system health monitoring system used to monitor and troubleshoot when issues are found. Dell installs these utilities on the devices shipped with Windows OS to support their customers in case of any hardware/software issues.

Dell uses BIOSConnect to perform a remote OS recovery and update the firmware. Whenever the system needs a remote OS recovery or firmware upgrades, BIOSConnect enables the system’s BIOS to connect Dell backend services over the Internet and then helps in completing the OS recovery or firmware upgrades process.

“BIOSConnect provides a foundation platform allowing BIOS to connect to a Dell HTTPS backend and load an image via HTTPS method. This foundation expands the Serviceability feature set to enhance the on-box reliability experience by adding cloud-based Service OS (SOS) support.

BIOSConnect feature offers network-based SOS boot recovery capability by performing HTTP(s) download from the cloud to a local RAMDisk and transfers control to the downloaded Service OS image to perform the necessary corrective action. This enables the user to recover when the local HDD image is corrupted, replaced, or absent.”

Please check out how to set up and run BIOSConnect when the computer fails to boot into the Operating System (OS)?

Summary Of The Dell BIOSConnect And HTTPS Boot Vulnerabilities:

Researchers have identified four vulnerabilities that enable an attacker to perform Remote Code Execution attacks (RCE) in the pre-boot environment by impersonating Dell.com. These attacks would allow the attacker to alter the initial state of an operating system, violate common assumptions on the hardware/firmware layers, and break OS-level security controls at the initial boot itself.

CVE-2021-21571: Insecure TLS Connection From BIOS to Dell

This vulnerability lets the BIOSConnect accept any valid wildcard certificate when it attempts to connect the Dell server over a secured TLS connection.

The certificate verification process is designed to verify the certificate by first retrieving the DNS record from the hardcoded google’s DNS server (8.8.8.8) then establish a connection to https://downloads.dell.com. However, the BIOSConnect is accepting any valid wildcard certificate issued by any of the built-in trusted CA’s of BIOSConnect to download the data to the system BIOS. This flaw allows an attacker to impersonate Dell and deliver malicious content to the victim device.

 

See Also What Is Authentication Bypass Vulnerability? How To Prevent It?

CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574: Buffer Overflow Vulnerabilities Enable Arbitrary Code Execution

By exploiting the CVE-2021-21571 vulnerability, an attacker can impersonate dell and deliver the malicious content to the victim machine. The attacker can use the delivered malicious content to affect the OS recovery and firmware update process by exploiting the three vulnerabilities.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2021-21571 Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering. 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
CVE-2021-21572,
CVE-2021-21573,
CVE-2021-21574
Dell BIOSConnect feature contains a buffer overflow vulnerability. An authenticated malicious admin user with local access to the system may potentially exploit this vulnerability to run arbitrary code and bypass UEFI restrictions. 7.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Table #1: Summary of the Dell BIOSConnect and HTTPS Boot Vulnerabilities

How Attackers Use Rhe Dell BIOSCnnect And HTTPS Boot Vulnerabilities To Compromise The Device?

The actual process works like this:

  1. BIOSConnect will request a secure HTTPS connection with the backend Dell server.
  2. The Dell server will respond to the request with a TLS certificate.
  3. BIOSConnect validates the certificate by first retrieving the DNS record from google’s DNS server (8.8.8.8).
  4. Then BIOSConnect establishes a connection to the Dell server and downloads the data.

Let’s see how attackers exploits the vulnerabilities to alters the process:

  1. BIOSConnect requests a secure HTTPS connection with the backend Dell server.
  2. The attacker intercepts the communication from BIOSConnect to the Dell server using the machine in the middle techniques.
  3. Then attacker responds to the BIOSConnect request with a tampered response along with a wild card certificate.
  4. The CVE-2021-21571 vulnerability makes BIOSConnect accepts the attacker’s request and certificate and establishes the communication with the impersonated Dell server.
  5. BIOSConnect will download the malicious data from the impersonated attacker’s Dell server.
  6. The attacker uses the data to affect the OS recovery and firmware update process by exploiting the CVE-2021-21572,  CVE-2021-21573, and  CVE-2021-21574 vulnerabilities.

List Of Affected Devices To The Dell BIOSConnect And HTTPS Boot Vulnerabilities:

On research, Dell initially discovered the Dell BIOSConnect and HTTPS Boot Vulnerabilitieson on a Dell Secured-core PC Latitude 5310 using Secure Boot. Later found on 129 products. Here is the comprehensive list of products affected, minimum BIOS version required to be secured, BIOSConnect & HTTPS Boot support, and release date. 

Product BIOS Update Version
(or greater)
Supports BIOSConnect Supports HTTP(s) Boot Release Date (MM/DD/YYYY)
Expected Release (Month /YYYY)
Alienware m15 R6 1.3.3 Yes Yes 6/21/2021
ChengMing 3990 1.4.1 Yes No 6/23/2021
ChengMing 3991 1.4.1 Yes No 6/23/2021
Dell G15 5510 1.4.0 Yes Yes 6/21/2021
Dell G15 5511 1.3.3 Yes Yes 6/21/2021
Dell G3 3500 1.9.0 Yes No 6/24/2021
Dell G5 5500 1.9.0 Yes No 6/24/2021
Dell G7 7500 1.9.0 Yes No 6/23/2021
Dell G7 7700 1.9.0 Yes No 6/23/2021
Inspiron 14 5418 2.1.0 A06 Yes Yes 6/24/2021
Inspiron 15 5518 2.1.0 A06 Yes Yes 6/24/2021
Inspiron 15 7510 1.0.4 Yes Yes 6/23/2021
Inspiron 3501 1.6.0 Yes No 6/23/2021
Inspiron 3880 1.4.1 Yes No 6/23/2021
Inspiron 3881 1.4.1 Yes No 6/23/2021
Inspiron 3891 1.0.11 Yes Yes 6/24/2021
Inspiron 5300 1.7.1 Yes No 6/23/2021
Inspiron 5301 1.8.1 Yes No 6/23/2021
Inspiron 5310 2.1.0 Yes Yes 6/23/2021
Inspiron 5400 2n1 1.7.0 Yes No 6/23/2021
Inspiron 5400 AIO 1.4.0 Yes No 6/23/2021
Inspiron 5401 1.7.2 Yes No 6/23/2021
Inspiron 5401 AIO 1.4.0 Yes No 6/23/2021
Inspiron 5402 1.5.1 Yes No 6/23/2021
Inspiron 5406 2n1 1.5.1 Yes No 6/23/2021
Inspiron 5408 1.7.2 Yes No 6/23/2021
Inspiron 5409 1.5.1 Yes No 6/23/2021
Inspiron 5410 2-in-1 2.1.0 Yes Yes 6/23/2021
Inspiron 5501 1.7.2 Yes No 6/23/2021
Inspiron 5502 1.5.1 Yes No 6/23/2021
Inspiron 5508 1.7.2 Yes No 6/23/2021
Inspiron 5509 1.5.1 Yes No 6/23/2021
Inspiron 7300 1.8.1 Yes No 6/23/2021
Inspiron 7300 2n1 1.3.0 Yes No 6/23/2021
Inspiron 7306 2n1 1.5.1 Yes No 6/23/2021
Inspiron 7400 1.8.1 Yes No 6/23/2021
Inspiron 7500 1.8.0 Yes No 6/23/2021
Inspiron 7500 2n1 – Black 1.3.0 Yes No 6/23/2021
Inspiron 7500 2n1 – Silver 1.3.0 Yes No 6/23/2021
Inspiron 7501 1.8.0 Yes No 6/23/2021
Inspiron 7506 2n1 1.5.1 Yes No 6/23/2021
Inspiron 7610 1.0.4 Yes Yes 6/23/2021
Inspiron 7700 AIO 1.4.0 Yes No 6/23/2021
Inspiron 7706 2n1 1.5.1 Yes No 6/23/2021
Latitude 3120 1.1.0 Yes No 6/23/2021
Latitude 3320 1.4.0 Yes Yes 6/23/2021
Latitude 3410 1.9.0 Yes No 6/23/2021
Latitude 3420 1.8.0 Yes No 6/23/2021
Latitude 3510 1.9.0 Yes No 6/23/2021
Latitude 3520 1.8.0 Yes No 6/23/2021
Latitude 5310 1.7.0 Yes No 6/24/2021
Latitude 5310 2 in 1 1.7.0 Yes No 6/24/2021
Latitude 5320 1.7.1 Yes Yes 6/21/2021
Latitude 5320 2-in-1 1.7.1 Yes Yes 6/21/2021
Latitude 5410 1.6.0 Yes No 6/23/2021
Latitude 5411 1.6.0 Yes No 6/23/2021
Latitude 5420 1.8.0 Yes Yes 6/22/2021
Latitude 5510 1.6.0 Yes No 6/23/2021
Latitude 5511 1.6.0 Yes No 6/23/2021
Latitude 5520 1.7.1 Yes Yes 6/21/2021
Latitude 5521 1.3.0 A03 Yes Yes 6/22/2021
Latitude 7210 2-in-1 1.7.0 Yes No 6/23/2021
Latitude 7310 1.7.0 Yes No 6/23/2021
Latitude 7320 1.7.1 Yes Yes 6/23/2021
Latitude 7320 Detachable 1.4.0 A04 Yes Yes 6/22/2021
Latitude 7410 1.7.0 Yes No 6/23/2021
Latitude 7420 1.7.1 Yes Yes 6/23/2021
Latitude 7520 1.7.1 Yes Yes 6/23/2021
Latitude 9410 1.7.0 Yes No 6/23/2021
Latitude 9420 1.4.1 Yes Yes 6/23/2021
Latitude 9510 1.6.0 Yes No 6/23/2021
Latitude 9520 1.5.2 Yes Yes 6/23/2021
Latitude 5421 1.3.0 A03 Yes Yes 6/22/2021
OptiPlex 3080 2.1.1 Yes No 6/23/2021
OptiPlex 3090 UFF 1.2.0 Yes Yes 6/23/2021
OptiPlex 3280 All-in-One 1.7.0 Yes No 6/23/2021
OptiPlex 5080 1.4.0 Yes No 6/23/2021
OptiPlex 5090 Tower 1.1.35 Yes Yes 6/23/2021
OptiPlex 5490 AIO 1.3.0 Yes Yes 6/24/2021
OptiPlex 7080 1.4.0 Yes No 6/23/2021
OptiPlex 7090 Tower 1.1.35 Yes Yes 6/23/2021
OptiPlex 7090 UFF 1.2.0 Yes Yes 6/23/2021
OptiPlex 7480 All-in-One 1.7.0 Yes No 6/23/2021
OptiPlex 7490 All-in-One 1.3.0 Yes Yes 6/24/2021
OptiPlex 7780 All-in-One 1.7.0 Yes No 6/23/2021
Precision 17 M5750 1.8.2 Yes No 6/9/2021
Precision 3440 1.4.0 Yes No 6/23/2021
Precision 3450 1.1.35 Yes Yes 6/24/2021
Precision 3550 1.6.0 Yes No 6/23/2021
Precision 3551 1.6.0 Yes No 6/23/2021
Precision 3560 1.7.1 Yes Yes 6/21/2021
Precision 3561 1.3.0 A03 Yes Yes 6/22/2021
Precision 3640 1.6.2 Yes No 6/23/2021
Precision 3650 MT 1.2.0 Yes Yes 6/24/2021
Precision 5550 1.8.1 Yes No 6/23/2021
Precision 5560 1.3.2 Yes Yes 6/23/2021
Precision 5760 1.1.3 Yes Yes 6/16/2021
Precision 7550 1.8.0 Yes No 6/23/2021
Precision 7560 1.1.2 Yes Yes 6/22/2021
Precision 7750 1.8.0 Yes No 6/23/2021
Precision 7760 1.1.2 Yes Yes 6/22/2021
Vostro 14 5410 2.1.0 A06 Yes Yes 6/24/2021
Vostro 15 5510 2.1.0 A06 Yes Yes 6/24/2021
Vostro 15 7510 1.0.4 Yes Yes 6/23/2021
Vostro 3400 1.6.0 Yes No 6/23/2021
Vostro 3500 1.6.0 Yes No 6/23/2021
Vostro 3501 1.6.0 Yes No 6/23/2021
Vostro 3681 2.4.0 Yes No 6/23/2021
Vostro 3690 1.0.11 Yes Yes 6/24/2021
Vostro 3881 2.4.0 Yes No 6/23/2021
Vostro 3888 2.4.0 Yes No 6/23/2021
Vostro 3890 1.0.11 Yes Yes 6/24/2021
Vostro 5300 1.7.1 Yes No 6/23/2021
Vostro 5301 1.8.1 Yes No 6/23/2021
Vostro 5310 2.1.0 Yes Yes 6/23/2021
Vostro 5401 1.7.2 Yes No 6/23/2021
Vostro 5402 1.5.1 Yes No 6/23/2021
Vostro 5501 1.7.2 Yes No 6/23/2021
Vostro 5502 1.5.1 Yes No 6/23/2021
Vostro 5880 1.4.0 Yes No 6/23/2021
Vostro 5890 1.0.11 Yes Yes 6/24/2021
Vostro 7500 1.8.0 Yes No 6/23/2021
XPS  13 9305 1.0.8 Yes No 6/23/2021
XPS 13 2in1  9310 2.3.3 Yes No 6/23/2021
XPS 13 9310 3.0.0 Yes No 6/24/2021
XPS 15 9500 1.8.1 Yes No 6/23/2021
XPS 15 9510 1.3.2 Yes Yes 6/23/2021
XPS 17 9700 1.8.2 Yes No 6/9/2021
XPS 17 9710 1.1.3 Yes Yes 6/15/2021

Table #2 Affected with the Dell BIOSConnect and HTTPS Boot Vulnerabilities

Leave a Reply