Security vulnerabilities in the Dell SupportAssist program potentially risked millions of devices globally. Exploiting the vulnerability could allow flashing BIOS of the target systems. The vendors have released the fixes for the bugs.
Dell SupportAssist Vulnerabilities
Researchers from the cybersecurity firm Eclypsium discovered multiple vulnerabilities in SupportAssist – a dedicated support solution for Dell systems. This solution comes pre-installed in most Dell systems (Windows-based). Thus, the underlying vulnerabilities potentially risked millions of devices.
As elaborated in their report, the researchers found as many as four different bugs affecting the BIOSConnect feature. Exploiting the flaws together in a chained attack could let an adversary meddle with the BIOS of the target systems.
It allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device. Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.
Specifically, this attack could give the adversary pre-boot access, thus allowing the changes at the OS level. This even includes disrupting the OS-level security measures.
The attack received a high-severity rating with a CVSS score of 8.3.
Dell Released Patches
Following the discovery of the bugs, the researchers reported the matter to Dell, who then worked out fixes. While Eclypsium researchers noticed 128 vulnerable models, Dell confirmed the number as 129.
Eventually, the vendors patched all the vulnerabilities and deployed the fixes.
According to Dell’s advisory, the vulnerabilities include an improper certificate validation flaw (CVE-2021-21571) and three buffer overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, CVE-2021-21574).
From these, the vendors patched the bugs CVE-2021-21573 and CVE-2021-21574 at the server-side in May 2021. Whereas, the other two vulnerabilities, CVE-2021-21571 and CVE-2021-21572, require updating the Dell Client BIOS to receive the fixes.
For this, Dell advises using a method different from BIOSConnect. These include using solutions from the
- Dell notification solutions
- Drivers and Downloads
- Flashing the BIOS from the F12 One-Time Boot Menu.
Whereas, for those who can’t update the Dell Client BIOS through these methods, the firm recommends mitigation in the advisory, alongside listing all vulnerable devices from the Alienware m15 R6, Inspiron, OptiPlex, Latitude, Vostro, and XPS brands.