Dell SupportAssist contained RCE flaw allowing miscreants to remotely reflash your BIOS with code of their creation

A chain of four vulnerabilities in Dell's SupportAssist remote firmware update utility could let malicious people run arbitrary code in no fewer than 129 different PCs and laptops models – while impersonating Dell to remotely upload a tampered BIOS.

A remote BIOS reflasher built into a pre-installed Dell support tool, SupportAssist, would accept "any valid wildcard certificate" from a pre-defined list of certificate authorities, giving attackers a vital foothold deep inside targeted machines – though Dell insists the exploit is only viable if a logged-in user runs the SupportAssist utility and in combination with a man-in-the-middle attack.

Consisting of four daisy-chained flaws, the vulns have a combined CVSSv3.1 score of 8.1 and allow remote code execution at an early stage of booting a vulnerable system by authenticated attackers. Updates for SupportAssist are available from Dell to mitigate the vulns, which infosec firm Eclypsium reckons affect about 30 million laptops and PCs.

The company, which blogged about the vulns, said: "Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls."

• You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities
• Google pushes bug databases to get on the same page for open-source security
• Fashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data
• Zephyr OS Bluetooth vulnerabilities left smart devices open to attack

The wildcard cert vuln (CVE-2021-21571) came about because a SupportAssist feature called BIOSConnect did not properly validate the TLS certificate for https://downloads.dell.com after carrying out a DNS lookup for that domain via Google's 8.8.8.8 DNS server. BIOSConnect would accept any wildcard certificate from a list of certificate authorities as valid instead of the actual certificate for the Dell downloads site, said Eclypsium.

"When UEFI Secure Boot is disabled, this vulnerability can be used to gain arbitrary remote code execution in the UEFI/pre-boot environment on the client device," the firm continued.

Further details of the three other vulns, coyly referred to only as "a buffer overflow" by Dell and Eclypsium, will be revealed at Def Con. Tracked as CVE-2021-21572 through -21574 inclusive, these were cumulatively rated as 7.2 on the CVSSv3.1 scale. CVE-2021-21573 and CVE-2021-21574 have both "been remediated on the server side" according to Dell and "require no additional customer action."

Dell was less than chuffed judging by the wording of its advisory about the flaws, though it confirmed it had worked with Eclypsium from March, well prior to public disclosure.

"To exploit the vulnerability chain in BIOSConnect, a malicious actor must separately perform additional steps before a successful exploit, including: compromise a user's network, obtain a certificate that is trusted by one of the Dell UEFI BIOS https stack's built-in Certificate Authorities, and wait for a user who is physically present at the system to use the BIOSConnect feature," sniffed an unimpressed Dell.

Eclypsium agreed, saying: "An attack scenario would require an attacker to be able to redirect the victim’s traffic, such as via a Machine-in-the-Middle (MITM) attack."

Bharat Jogi, Qualys senior manager of vulnerability and threat research, commented: "The four vulnerabilities on Dell devices are highly concerning. BIOS is critical for a device boot process and its security is vital to ensure safety of the entire device. This is especially important in the current environment due to the increased wave of supply chain attacks. This chain of security vulnerabilities allow for bypass of Secure Boot protections, can be exploited to take complete control of the device and hence organisations should prioritise patching."

If you don't fancy upgrading SupportAssist, an effective mitigation is simply to delete the utility, according to Dell. ®