Dell SupportAssist bugs put about 30 million PCs at risk

Table of Contents1 Customers recommended not to use BIOSConnect for updating their BIOS2 Dell application

Safety researchers have identified four significant protection vulnerabilities in the BIOSConnect function of Dell SupportAssist, permitting attackers to remotely execute code inside the BIOS of impacted units.

In accordance to Dell’s website, the SupportAssist software is “preinstalled on most Dell units running Home windows operating procedure,” while BIOSConnect provides distant firmware update and OS restoration characteristics.

The chain of flaws found by Eclypsium scientists will come with a CVSS base rating of 8.3/10 and enables privileged remote attackers to impersonate and acquire regulate of the focus on device’s boot procedure to break OS-amount security controls.

“These kinds of an attack would empower adversaries to manage the device’s boot system and subvert the functioning method and larger-layer safety controls,” Eclypsium researchers reveal in a report shared in progress with BleepingComputer.

“The problem has an effect on 129 Dell styles of customer and business laptops, desktops, and tablets, which includes devices protected by Secure Boot and Dell Secured-main PCs,” with approximately 30 million person gadgets uncovered to assaults.

BIOSConnect attack scenario
Image: Eclypsium

The reasearchers identified one particular concern leading to an insecure TLS relationship from BIOS to Dell (tracked as CVE-2021-21571) and 3 overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574).

Two of the overflow safety flaws “affect the OS restoration process, while the other affects the firmware update method,” Eclypsium claims. “All three vulnerabilities are unbiased, and each one could lead to arbitrary code execution in BIOS.”

Supplemental information on the vulnerabilities can be observed in Eclypsium’s report and the entire record of afflicted device designs in Dell’s advisory.

Customers recommended not to use BIOSConnect for updating their BIOS

In accordance to Eclypsium, people will have to update the procedure BIOS/UEFI for all affected methods. The scientists also recommend using an alternate method other than the SupportAssist’s BIOSConnect characteristic to apply BIOS updates on their equipment.

Dell is furnishing BIOS/UEFI updates for impacted devices and updates to impacted executables on

CVE-2021-21573 and CVE-2021-21574 really don’t demand demand additional customer motion as they were being tackled server side on May possibly 28, 2021. Even so, the CVE-2021-21571 and CVE-2021-21572 vulnerabilities demand Dell Consumer BIOS updates to be entirely dealt with.

Buyers who simply cannot quickly update their systems can disable BIOSConnect from the BIOS setup page or applying the Dell Command | Configure (DCC)‘s Distant Technique Management tool.

“The particular vulnerabilities covered right here allow an attacker to remotely exploit the UEFI firmware of a host and obtain handle around the most privileged code on the system,” the scientists concluded.

“This combination of remote exploitability and higher privileges will probably make distant update functionality an alluring focus on for attackers in the future, and corporations need to make confident to check and update their equipment appropriately.”

Dell application plagued by crucial flaws

This is not the 1st time house owners of Dell computers have been exposed to attacks by protection vulnerabilities observed in the SupportAssist software package.

Two decades back, in May well 2019, the organization patched a different significant-severity SupportAssist distant code execution (RCE) vulnerability caused by an incorrect origin validation weakness and noted by safety researcher Monthly bill Demirkapi in 2018.

This RCE allowed unauthenticated attackers on the same Community Entry layer with targeted programs to remotely execute arbitrary executables on unpatched equipment.

Stability researcher Tom Forbes identified a comparable RCE flaw in the Dell System Detect application in 2015, making it possible for attackers to bring about the buggy plan to download and execute arbitrary documents with no person conversation.

SupportAssist was all over again patched 1 yr afterwards, in February 2020, to deal with a security flaw thanks to a DLL research-order hijacking bug that enabled community attackers to execute arbitrary code with Administrator privileges on susceptible equipment.

Previous but not least, last month Dell addressed a flaw building it attainable to escalate privileges from non-admin buyers to kernel privileges, a bug located in the DBUtil driver that ships with tens of thousands and thousands of Dell units.