How Attackers Abuse The Dell BIOSConnect And HTTPS Boot Vulnerabilities To Compromise The Dell Computers?

Cybersecurity researchers disclosed a chain of vulnerabilities on the BIOSConnect within Dell Client BIOS. These vulnerabilities allow a privileged network adversary to launch arbitrary code execution at the BIOS/UEFI level by impersonating Dell.com. The vulnerabilities have given a cumulative CVSS score of 8.3 (High) because adversaries can control the device’s boot process and subvert the operating system and higher-layer security controls using these attacks. According to the research, these vulnerabilities affect 129 models (30 million devices across the globe), including consumer and business laptops, desktops, and tablets. Let’s see how attackers use the Dell BIOSConnect and HTTPS Boot vulnerabilities to compromise the Dell computers.

What is BIOS Connect?

BIOSConnect is a feature of SupportAssist, a system health monitoring system used to monitor and troubleshoot when issues are found. Dell installs these utilities on the devices shipped with Windows OS to support their customers in case of any hardware/software issues.

Dell uses BIOSConnect to perform a remote OS recovery and update the firmware. Whenever the system needs a remote OS recovery or firmware upgrades, BIOSConnect enables the system’s BIOS to connect Dell backend services over the Internet and then helps in completing the OS recovery or firmware upgrades process.

“BIOSConnect provides a foundation platform allowing BIOS to connect to a Dell HTTPS backend and load an image via HTTPS method. This foundation expands the Serviceability feature set to enhance the on-box reliability experience by adding cloud-based Service OS (SOS) support.

BIOSConnect feature offers network-based SOS boot recovery capability by performing HTTP(s) download from the cloud to a local RAMDisk and transfers control to the downloaded Service OS image to perform the necessary corrective action. This enables the user to recover when the local HDD image is corrupted, replaced, or absent.”

Please check out how to set up and run BIOSConnect when the computer fails to boot into the Operating System (OS)?

Summary Of The Dell BIOSConnect And HTTPS Boot Vulnerabilities:

Researchers have identified four vulnerabilities that enable an attacker to perform Remote Code Execution attacks (RCE) in the pre-boot environment by impersonating Dell.com. These attacks would allow the attacker to alter the initial state of an operating system, violate common assumptions on the hardware/firmware layers, and break OS-level security controls at the initial boot itself.

CVE-2021-21571: Insecure TLS Connection From BIOS to Dell

This vulnerability lets the BIOSConnect accept any valid wildcard certificate when it attempts to connect the Dell server over a secured TLS connection.

The certificate verification process is designed to verify the certificate by first retrieving the DNS record from the hardcoded google’s DNS server (8.8.8.8) then establish a connection to https://downloads.dell.com. However, the BIOSConnect is accepting any valid wildcard certificate issued by any of the built-in trusted CA’s of BIOSConnect to download the data to the system BIOS. This flaw allows an attacker to impersonate Dell and deliver malicious content to the victim device.

CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574: Buffer Overflow Vulnerabilities Enable Arbitrary Code Execution

By exploiting the CVE-2021-21571 vulnerability, an attacker can impersonate dell and deliver the malicious content to the victim machine. The attacker can use the delivered malicious content to affect the OS recovery and firmware update process by exploiting the three vulnerabilities.

How Attackers Use Rhe Dell BIOSConnect And HTTPS Boot Vulnerabilities To Compromise The Device?

The actual process works like this:

1. BIOSConnect will request a secure HTTPS connection with the backend Dell server.
2. The Dell server will respond to the request with a TLS certificate.
3. BIOSConnect validates the certificate by first retrieving the DNS record from google’s DNS server (8.8.8.8).
4. Then BIOSConnect establishes a connection to the Dell server and downloads the data.

Let’s see how attackers exploits the vulnerabilities to alters the process:

1. BIOSConnect requests a secure HTTPS connection with the backend Dell server.
2. The attacker intercepts the communication from BIOSConnect to the Dell server using the machine in the middle techniques.
3. Then attacker responds to the BIOSConnect request with a tampered response along with a wild card certificate.
4. The CVE-2021-21571 vulnerability makes BIOSConnect accepts the attacker’s request and certificate and establishes the communication with the impersonated Dell server.
5. BIOSConnect will download the malicious data from the impersonated attacker’s Dell server.
6. The attacker uses the data to affect the OS recovery and firmware update process by exploiting the CVE-2021-21572,  CVE-2021-21573, and  CVE-2021-21574 vulnerabilities.

List Of Affected Devices To The Dell BIOSConnect And HTTPS Boot Vulnerabilities:

On research, Dell initially discovered the Dell BIOSConnect and HTTPS Boot Vulnerabilitieson on a Dell Secured-core PC Latitude 5310 using Secure Boot. Later found on 129 products. Here is the comprehensive list of products affected, minimum BIOS version required to be secured, BIOSConnect & HTTPS Boot support, and release date. 

 Thanks for reading this post. Please share this information with one who owns the Dell computer and make them aware.

• How to set up a Raspberry Pi for the first time?
• Three different ways to boot a Raspberry Pi from a USB drive:
• Detailed anatomy of the Tor network | Structure of the Tor network
• 6 simple tips to remain anonymous on the dark web!
• How do (ALPACA ) TLS Cross-Protocol Attacks lets Attackers redirect HTTPS traffic