Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Bug Security

Dell SupportAssist Bugs Put Over 30 Million PCs At Risk (bleepingcomputer.com) 27

Posted by msmash from the security-woes dept.
AmiMoJo writes: Security researchers have found four major security vulnerabilities in the BIOSConnect feature of Dell SupportAssist, allowing attackers to remotely execute code within the BIOS of impacted devices. According to Dell's website, the SupportAssist software is 'preinstalled on most Dell devices running Windows operating system,' while BIOSConnect provides remote firmware update and OS recovery features. The chain of flaws discovered by Eclypsium researchers comes with a CVSS base score of 8.3/10 and enables privileged remote attackers to impersonate Dell.com and take control of the target device's boot process to break OS-level security controls. "Such an attack would enable adversaries to control the device's boot process and subvert the operating system and higher-layer security controls," Eclypsium researchers explain in a report shared in advance with BleepingComputer. "The issue affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs," with roughly 30 million individual devices exposed to attacks.
This discussion has been archived. No new comments can be posted.

Dell SupportAssist Bugs Put Over 30 Million PCs At Risk More

Dell SupportAssist Bugs Put Over 30 Million PCs At Risk

Comments Filter:

  • The Dell update is borked and has been for a long time, last years update broken my Inspiron laptop. After a cold boot it freezes on BIOS Dell spash and has to to warm boot to actually start.

    This years update introduced a crash in the WIFI driver, that requires the driver to be restarted often.

    Neither allow the option to roll back the update.

  • CVE's and Advisory's (Score:5, Informative)

    by BeerFartMoron ( 624900 ) on Friday June 25, 2021 @01:41PM (#61520790)

    The reasearchers identified one issue leading to an insecure TLS connection from BIOS to Dell (tracked as CVE-2021-21571 [nist.gov]) and three overflow vulnerabilities (CVE-2021-21572 [nist.gov], CVE-2021-21573 [nist.gov], and CVE-2021-21574 [nist.gov])

    Two of the overflow security flaws "affect the OS recovery process, while the other affects the firmware update process," Eclypsium says. "All three vulnerabilities are independent, and each one could lead to arbitrary code execution in BIOS."

    Additional info on the vulnerabilities can be found in Eclypsium's report [eclypsium.com] and the complete list of affected device models in Dell's advisory [dell.com].

  • Is redundant and eats up a fair amount of CPU time (according to Gamer's Nexus recently) and is in general a waste of space and time.
    It comes off their systems the moment it's unboxed and set up around my office. Been doing that for Dell, HP, Lenovo and anyone else who brings unneeded bloatware into the OS. Seems common sense to me.

  • Two out three, as usual. (Score:4, Funny)

    by 140Mandak262Jamuna ( 970587 ) on Friday June 25, 2021 @01:45PM (#61520806) Journal
    Secure

    Convenient

    Cheap

    Pick two out of three. Tableau:

    Some PHB joker in support came up with the idea, how about we install something in the bios, that way we can fix problems for our clueless customers easily. Mighty convenient..

    If some Dilbert said, But... but... any hacker can get in impersonating us ..., PHB would have said, We can get Alice here to code up some password or something ...

    Asok the intern would pipe in, Yes, an asymmetric hand shake private keys... we can do it. .

    PHB goes, nah, too expensive. hardwire a password. Same password for all machines, its too expensive to maintain tables of separate password for each machine, and to flash the chips in production.

    Dilbert, Alice, Asok heads would explode. Wally would nod wisely, with a what you jokers were thinking look and sip coffee calmly.

  • This is how proper names turn into verbs.
  • I've been uninstalling it on site since Nov of 2020. I uninstall all of it including their digital delivery service.

  • I build my own PC's

    • Re: (Score:1)

      by Anonymous Coward

      with chips from china

  • If you don't immediately rip out OEM software from consumer devices you kinda get what you deserve.

    • Especially junk that apparently connects my BIOS directly to the internet? Why in the hell would I want that? Might as well open up my router's web admin interface to the internet as well. What could go wrong?

  • Do they really have a working exploit (Score:4, Interesting)

    by FeelGood314 ( 2516288 ) on Friday June 25, 2021 @02:48PM (#61521050)
    Or did they just find a possible overflow somewhere that isn't check immediately before running but would require a 2GB +1 byte bios firmware image or something equally silly. Can they impersonate dell to the BIOS in a privileged way or can they just do something like start a the authentication process and be stopped later. I've been on the receiving end of a lot of these so called exploits and I would say 95% of them are bogus but still get patched because the patch is easier than explaining why the exploit doesn't work. Mean while getting time to explore really serious problems never happens.

    For all you potential hackers see if you can weaponize this:
    x509 certs are written in ASN1. If the ASN1 is malformed, that is the lengths of the child components don't add up to the length of the parent, the parser may not catch it. In fact I was able to construct malformed x509 certs that where still parsed by every parser I tried. The exploit is that different parsers parse malformed x509 differently. See if you can get a CA to sign a Certificate for a domain you control but when given to a different parser grants you access to something else.

  • Not a Linux problem (Score:3)

    by couchslug ( 175151 ) on Friday June 25, 2021 @03:15PM (#61521130)

    As usual.

    • Aren't you glad you use Linux? I spent a 20 year career as a sysadmin/"windows janitor". When I retired, I decided I was DONE with anything out of Redmond...

      • Except this time it is also a Linux problem. You can buy machines from Dell that come with a native Linux install, they even refund the Redmond tax. Usually this is correct, that the exploit is only for the Windows variants. However, the Linux machines are also exploitable this time.
    • Dell sells machines that come with Linux preinstalled. The Linux variants and Windows variants are both impacted. Here's an example: https://www.dell.com/support/h... [dell.com] Click onto any of the Linux options and the urgent BIOS update from June 23rd is listed and marked as urgent.
  • Dell is to software as an electrician is to being qualified to install CAT5/6... it may work once in a while, but usually causes more problems than its worth, no matter what they claim.
  • Well, I have to wonder if I was hacked this past week. After coming back and booting my Dell Inspiron 7579 I found that the file system was gone. I hate to jump on the "me too" band wagon as train is full enough of ignorant children. But I doubt it happened.

  • I have a Dell Latitude 5480, and it *came* with Windows 10, and i wasted NO time pulling the windows disk, putting it on the shelf, just in case of any warantee issues, and installed Linux on an SSD. Very soon after, when booting the system, I got a screen message advising that the bios was being updated. I was under the impression this feature only worked on systems with Windows. I refuse to use Windows for reasons and I won't comment on them here.

  • My alienware recently had a touchpad failure due to a bulging battery pushing on it. Before sending parts, the support rep insisted on running touchpad diagnostics. When he tried to connect, he sounded appalled that I had uninstalled support assist. I installed it so he could connect. He insisted I keep it on, and I said I would be removing it when this is over. He was irritated and insisted I keep it on. Lol, why would anyone keep this type of thing installed?

    • If for some godforsaken reason I had to run Windows on my Dell hardware, that is one piece of bloatware I'd be removing soonest. Fortuantly when I buy a new Dell corporate model, the first thing I do is remove the Windows harddrive and install Linux on an SSD. Windows just keeps getting stupider and stupider..

  • Glad I install Linux on most of my computers. The rest are running macOS. The big question is, Why don't people consider Microsoft products malware. Not running them removes the biggest threat vectors.

Slashdot Top Deals

God help those who do not help themselves. -- Wilson Mizner

Close