The BIOSConnect feature of Dell SupportAssist has four critical security vulnerabilities that allow attackers to remotely execute code in the BIOS of vulnerable devices.
Most Dell computers running Windows come with the SupportAssist software preloaded, while BIOSConnect offers remote firmware updates and OS recovery.
Eclypsium researchers detected the flaws with a CVSS base score of 8.3/10.
It allows privileged remote attackers to pose as Dell.com and gain control of the target device’s boot process, allowing them to bypass OS-level security mechanisms.
According to the researchers, such an exploit would allow threat actors to take control of the device’s boot process, as well as corrupt the operating system and higher-layer security mechanisms.
The issue affects 129 Dell laptops, desktops, and tablets for consumers and businesses, including Secure Boot and Dell Secured-core PCs. Around 30 million devices are vulnerable to cyber-attacks.
A vulnerability known as CVE-2021-21571 has been discovered, resulting in an unsafe TLS communication between BIOS and Dell.
Three overflow vulnerabilities have been discovered (CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574), two of which affect the OS recovery procedure and the third the firmware update process.
Each of the three flaws is distinct, and each one might result in arbitrary code execution in the BIOS.
For all compromised devices, users must upgrade the system BIOS/UEFI.
The researchers also suggest that users apply BIOS updates on their devices via a means other than SupportAssist’s BIOSConnect capability.
On Dell.com, Dell is offering BIOS/UEFI updates for affected systems, as well as updates to affected executables.
On May 28, 2021, the vulnerabilities CVE-2021-21573 and CVE-2021-21574 were patched on the server side. However, to fully fix the CVE-2021-21571 and CVE-2021-21572 vulnerabilities, Dell Client BIOS updates are required.
Users who are unable to update their systems immediately should disable BIOSConnect via the BIOS setup page or the Dell Command | Configure (DCC) Remote System Management tool.