Millions of Dell devices at risk due to SupportAssist security vulnerabilities
Security researchers from Eclypsium have discovered a total of four vulnerabilities in Dell's SupportAssist software. As the software is pre-installed on the majority of Dell machines running Windows, millions of systems are at risk of remote attack.
Eclypsium says that a total of 129 Dell models are affected by the security issues. The chain of vulnerabilities that leaves systems open to attack has a cumulative CVSS score of 8.3 (High) and there is a warning that they "pose significant risks to the integrity of Dell devices".
Security flaws have been found in the BIOSConnect feature of SupportAssist which could be exploited to devastating effect. The security team at Eclypsium explains: "Our research has identified a series of four vulnerabilities that would enable a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines. The vulnerabilities were originally discovered on a Dell Secured-core PC Latitude 5310 using Secure Boot, and we later confirmed the issue on other models of desktops and laptops".
While there are factors that limit the potential for exploitation -- particularly the need for an attacker to implement a man-in-the-middle attack -- the researchers point out that "the virtually unlimited control over a device that this attack can provide makes it worth the effort by the attacker".
In all, over 30 million devices are at risk, the security researchers explain:
Eclypsium researchers have identified multiple vulnerabilities affecting the BIOSConnect feature within Dell Client BIOS. This chain of vulnerabilities has a cumulative CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device. Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls. The issue affects 128 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs.
The Eclypsium team has coordinated with Dell PSIRT throughout the disclosure process. Dell has issued a Dell Security Advisory and is scheduling BIOS/UEFI updates for affected systems and updates to affected executables from Dell.com. Please reference the Mitigations section for the latest information on how to protect affected devices.
These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls. As attackers increasingly shift their focus to vendor supply chains and system firmware, it is more important than ever that organizations have independent visibility and control over the integrity of their devices.
The fix is to update to the very latest version of BIOSConnect, or to disable the feature entirely. Full details are available in a post on the Eclypsium website.