Security Experts:

Eclypsium: BIOSConnect Flaws Haunt Millions of Dell Computers

Security researchers at Eclypsium have figured out a way to exploit a set of high-severity vulnerabilities that expose millions of Dell computers to stealthy hacker attacks.

Eclypsium, a U.S. company that addresses firmware security threats, said the issue affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices that use Microsoft’s new Secured-core PC protections.

The company published a technical report to document the discovery, which affects an estimated 30 million Dell computer devices.  Separately, Dell released software fixes alongside a warning that this should be treated as a high-impact issue.

In all, Dell shipped patches for at least four documented CVEs credited to Eclypsium researchers Mickey Shkatov and Jesse Michael.  The researchers plan to discuss the vulnerabilities and potential impact at this years DEF CON security conference.

[ Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers ]

The Eclypsium researchers found the problems in the BIOSConnect feature within Dell Client BIOS.  “[This issue] allows a privileged network adversary to impersonate and gain arbitrary code execution at the BIOS/UEFI level of the affected device. Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls,” Shkatov and Michael said in a published paper

“These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls,” the researchers said. 

The problematic BIOSConnect feature lives within another updating mechanism called SupportAssist that’s used to handle update and remote management on Dell computers.

Specifically, the Dell UEFI BIOS https stack leveraged by the Dell BIOSConnect feature and Dell HTTPS Boot feature contains an improper certificate validation vulnerability. “A remote unauthenticated attacker may exploit this vulnerability using a person-in-the-middle attack which may lead to a denial of service and payload tampering,” Dell warned in its advisory.

Dell confirmed and patched three additional issues identified by Eclypsium, including a buffer overflow bug in Dell BIOSConnec that could allow an authenticated malicious admin user with local access to the system to run arbitrary code and bypass UEFI restrictions.

Eclypsium is warning that this combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future.  

Related: Enterprise Device Security Company Eclypsium Raises $13 Million

Related: 'BootHole' Flaw Allows Installation of Stealthy Malware

Related: Hackers Can Plant Backdoors on Bare Metal Cloud Servers

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.