InvestorsHub Logo
Boards
News
Market Data
Markets
Discover
Discover
Subscribe Login/Register
S&P 500
5,009.29
(
-1.23%
)
US TECH 100
16,783.60
(
-1.62%
)
Dow Jones
37,859.62
(
-1.56%
)
Brent Oil
86.57
(
-0.75%
)
Bitcoin
63,639.86
(
-1.00%
)
Post# of 248733
Next 10
Reply Private New
Public Reply Private Reply New Post
Keep Last Read
Keep Next 10 Report Keyboard Shortcuts
Next 10 Prev Next

Genz2

Send PM Follow Ignore
Followers 5
Posts 2517
Boards Moderated 0
Alias Born 09/06/2006

Genz2

Re: None

Thursday, 06/24/2021 8:42:55 AM

Thursday, June 24, 2021 8:42:55 AM

Post# of 248733
Vulnerabilities in Dell computers allow RCE at the BIOS/UEFI level

https://www.helpnetsecurity.com/2021/06/24/vulnerabilities-dell-bios/

An estimated 30 million Dell computers are affected by several vulnerabilities that may enable an attacker to remotely execute code in the pre-boot (BIOS/UEFI) environment, Eclypsium researchers have found.

The vulnerabilities

The vulnerabilities affect 128 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs.

The problem resides in the BIOSConnect feature of Dell SupportAssist, a solution that comes preinstalled on most Windows-based Dell machines and helps users troubleshoot and resolve hardware and software problems.

BIOSConnect helps perform a remote OS recovery or update the firmware on the device, and it does so by connecting to Dell backend services over the internet, downloading the needed software/firmware, and coordinating the recovery/update process.

Unfortunately, as the researchers found, these processes can be subverted to deliver malicious content to a target machine.

Eclypsium uncovered four vulnerabilities.

CVE-2021-21571 stems from the fact that the TLS connection from BIOSConnect to the backend Dell HTTP server will accept any valid wildcard certificate issued by any of the built-in CA’s contained within the BIOSConnect feature. The problem is in the certificate verification code, which is also present in some of the HTTPS Boot configurations.

“This allows an attacker with a privileged network position to impersonate Dell and deliver attacker-controlled content back to the victim device,” the researchers explained.

CVE-2021- 21572, CVE-2021-21573, CVE-2021-21574 are three overflow vulnerabilities, two of which affect the OS recovery process, and one the firmware update process. Each one of these could lead to arbitrary code execution in the pre-boot environment.

Concatenated, these vulnerabilities may allow a privileged network adversary (e.g., executing a Machine-in-the-Middle attack) to gain control of the target device’s boot process and subvert the operating system and higher-layer security controls.

“Because this attack is delivered directly to firmware, it is invisible to most endpoint security software,” noted Jesse Michael, Principal Analyst at Eclypsium.

How to fix this?

The researchers disclosed the existence of the vulnerabilities to Dell in March 2021.

CVE-2021-21573 and CVE-2021-21574 have been fixed on the server side in late May 2021 and require no action/intervention by the device owners.

The CVE-2021-21571 and CVE-2021-21572 vulnerabilities, on the other hand, require Dell Client BIOS updates. Dell is pushing out some of the updates today, and others are planned for July.

Users of Dell computers are advised to check the list of vulnerable device models (available in Dell’s security advisory) and see whether they are affected. If they are, they should apply the BIOS updates via one of the recommended methods.

If implementing the update is impossible, the risk of the vulnerabilitie being exploited can be temporariliy be mitigated by disabling the BIOSConnect and HTTPS Boot features.

Michael also added that, even when CVE-2021-21571 is removed, organizations should make sure that internal systems using HTTPS Boot have certificates fully controlled by the organization (and not by CAs that issue certificates broadly).

Eclypsium researchers will share more details about the discovered vulnerabilities at this year’s DEF CON.
==================================================================
What if an organization was using its TPMs (hardware), and Wave Endpoint Monitor to detect an attack?? The Dell computers would be safer with enabled TPMs and Wave Endpoint Monitor!!! The Dell computers should have Wave Endpoint Monitor in the first place given how it can protect against malware!!!
==================================================================
http://www.wavesys.com/

http://www.wavesys.com/contact-information

Contact Wave

Wave Systems
401 Congress Avenue
Suite 2650
Austin, TX 78701
sales@wavesys.com

Gold Customer Support:

goldsupport@wavesys.com

1-800-928-3638

Support:

support@wavesys.com

1-844-250-7077

Sales:

1-877-228-WAVE













Public Reply Private Reply New Post
Keep Last Read
Keep Last Read Next 10 Report Keyboard Shortcuts
Next 10 Prev Next

Join the InvestorsHub Community

Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.

Sign Up