Dell has released recommendations for multiple security vulnerabilities affecting the BIOSConnect and HTTPS Boot features
Eclypsium researchers have identified multiple vulnerabilities affecting the BIOSConnect feature within Dell Client BIOS. According to the cloud-based security firm, this chain of vulnerabilities has a cumulative CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device.
In a blog Eclyspsium wrote, an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls. The issue affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs.
Dell acknowledged that Mickey Shkatov and Jesse Michael of Eclypsium reported the issue. It describes the the Dell BIOSConnect and HTTPS Boot features:
- The Dell BIOSConnect feature is a Dell preboot solution that is used to update system BIOS and recover the operating system (OS) using the SupportAssist OS Recovery on Dell Client platforms. Note: BIOSConnect requires a physically present user to initiate this feature. Only a subset of platforms with the BIOSConnect feature is affected. See the table under Additional Information section below for impacted platforms.
- The Dell HTTPS Boot feature is an extension to UEFI HTTP Boot specifications to boot from an HTTP(S) Server. Note: This feature is not configured by default and requires a physically present user with local OS admin rights to configure. Additionally, a physically present user is required to initiate the feature when used with wireless networks. Not all platforms contain the HTTPS Boot feature. See the table under the Additional Information section below for a list of impacted platforms.
Exploiting the chain requires additional steps:
- To exploit the vulnerability chain in BIOSConnect, a malicious actor must separately perform additional steps before a successful exploit, including: compromise a user’s network, obtain a certificate that is trusted by one of the Dell UEFI BIOS https stack’s built-in Certificate Authorities, and wait for a user who is physically present at the system to use the BIOSConnect feature.
- To exploit the vulnerability in HTTPS Boot, a malicious actor must separately perform additional steps before a successful exploit, including: compromise a user’s network, obtain a certificate that is trusted by one of the Dell UEFI BIOS https stack’s built-in Certificate Authorities, and wait for a user who is physically present at the system to change the boot order and use the HTTPS Boot feature.
In addition to applying the remediations below, customers can further protect themselves by following security best practices by only using secured networks and preventing unauthorized local and physical access to devices. Customers should also enable platform security features such as Secure Boot (enabled by default for Dell platforms with Windows) and BIOS Admin Password for added protection.
Affected Products and Remediation
CVE-2021-21573 and CVE-2021-21574 were remediated on the server side on May 28, 2021 and require no additional customer action.
CVE-2021-21571 and CVE-2021-21572 require Dell Client BIOS updates to address the vulnerabilities. See the table under the Additional Information section to determine the version of the remediated Dell Client BIOS to apply to your system. There are multiple ways to update your Dell Client BIOS. If you typically use BIOSConnect to update your BIOS, Dell recommends using a different method to apply the BIOS updates, such as:
- Using one of the Dell notification solutions to be notified and download BIOS updates automatically once available.
- Visiting the Drivers and Downloads site for updates on the applicable products. To learn more, visit the Dell Knowledge Base article Dell BIOS Updates, and download the update for your Dell computer.
- Flashing the BIOS from the F12 One-Time Boot Menu.
For those that cannot apply BIOS updates immediately, Dell has also provided an interim mitigation to disable the BIOSConnect and HTTPS Boot features. See section below.
Workarounds and Mitigations
Dell recommends all customers update to the latest Dell Client BIOS version at the earliest opportunity. Customers who choose not to apply BIOS updates immediately or who are otherwise unable to do so now, should apply the below mitigation.
BIOSConnect:
- Customers may disable the BIOSConnect feature using one of two options:
- Option 1: Customers may disable BIOSConnect from the BIOS setup page (F2).
- Note: Customers may find the BIOSConnect option under different BIOS setup menu interfaces depending on their platform model. These are seen below as BIOS Setup Menu Type A and BIOS Setup Menu Type B.
- BIOS Setup Menu Type A: F2 > Update, Recovery > BIOSConnect > Switch to Off.
- BIOS Setup Menu Type B: F2 > Settings > SupportAssist System Resolution > BIOSConnect > Uncheck BIOSConnect option.
- Note: Dell recommends customers not to run “BIOS Flash Update – Remote” from F12 until the system is updated with a remediated version of the BIOS.
- Option 2: Customers may leverage Dell Command | Configure (DCC)’s Remote System Management tool to disable the BIOSConnect and Firmware Over the Air (FOTA) BIOS settings.
HTTPS Boot:
- Customers may disable the HTTPS Boot feature using one of two options:
- Option 1: Customers may disable BIOSConnect from the BIOS setup page (F2).
- F2 > Connection > HTTP(s) Boot > Switch to Off.
- BIOS Setup Menu Type B: F2 > Settings > SupportAssist System Resolution > BIOSConnect > Uncheck BIOSConnect option.
- Option 2: Customers may leverage Dell Command | Configure (DCC)’s Remote System Management tool to disable HTTP Boot Support.
Tags: BIOSConnectDellEclypsium