Flaws in Dell's over-the-air device recovery and update impacts millions of devices

The over-the-internet firmware update and OS recovery feature present in 128 Dell computer models suffers from certificate validation and other flaws that could allow man-in-the-middle (MitM) attackers to compromise the devices at the firmware level and deploy malicious implants.

The vulnerabilities were discovered by researchers from Eclypsium, a company that specialises in hardware and firmware security, and will be fully disclosed during a presentation in August at the DEF CON security conference.

Dell has started releasing BIOS/UEFI updates for the affected models and advises everyone to deploy those updates using alternative firmware update methods, not the impacted feature called BIOSConnect.

What is BIOSConnect?

BIOSConnect is a feature in the low-level firmware, the Unified Extensible Firmware Interface (UEFI), of Dell computers that allows users to perform recovery operations and firmware updates over the internet from outside the operating system.

Users can also install UEFI updates through SupportAssist, Dell's support software that's installed on its Windows computers by default and which also monitors device health, delivers OS driver updates for various components and helps users troubleshoot issues.

Dell computers also ship with a hidden service partition on their hard drives that can be used to launch SupportAssist OS Recovery from the boot menu if the installed operating system is corrupted and can no longer start. However, there might be situations where the service partition itself was deleted, was corrupted, or is absent because the entire hard drive was replaced.

In those cases, BIOSConnect allows users to start the recovery process directly from the internet. Specifically, the feature uses Google's Public DNS server 8.8.8.8 to find the IP address for the domain downloads.dell.com and then connects to the server over HTTPS. If the connection is successful, it downloads the SupportAssist recovery image, loads it into RAM and starts it.

The automation of OS recovery and firmware updates is a big improvement in the PC ecosystem over the traditional process of users having to manually search for BIOS updates or recovery tools on the manufacturers' support sites, then flash them to USB drives or optical discs and boot from them. The concept is not new. Apple has offered such an option on its computers for many years.

HTTPS certificate validation failures

The Eclypsium researchers found that the HTTPS certificate validation code used by BIOSConnect will accept any certificate for any domain name, not just dell.com, issued by any trusted certificate authority (CA).

The list of certificate trusted certificate authorities was imported from Mozilla's Root Certificate program and includes over 50 CAs operated by governments, commercial certificate providers and free certificate providers like Let's Encrypt. This means that an attacker with a MitM position would have no trouble spoofing downloads.dell.com and serving malicious code for BIOSConnect to execute.

Network connections are susceptible to hijacking through techniques such as ARP spoofing, DNS cache poisoning, or attackers gaining control of networking devices through which computers access the internet -- for example routers, wireless access point or VPN gateways.

Employees who work from home are even more susceptible to MitM attacks because home routers are generally riddled with unpatched vulnerabilities or use weak credentials. Vulnerabilities in enterprise VPN appliances are not uncommon and these devices are increasingly targeted by sophisticated attackers.

Software supply-chain attacks have also been on the rise in recent years and many of them have targeted software update mechanisms, so it's important for software updates to be delivered over encrypted connections.

In addition to encryption, HTTPS offers guarantees that devices connect to the legitimate update servers by verifying their certificates. For implementers this means that client-side certificate validation is critical, especially when dealing with something as vital as firmware updates.

Malicious firmware implants are some of the most persistent, stealthy and hardest to remove infections because they survive OS wipes and hard drive replacements. Over the years they have been used by intelligence agencies, nation-backed cyber espionage groups, and even sophisticated cyber criminals.

The Eclypsium researchers also found that a similar certificate validation flaw exists in another UEFI feature present in Dell computers called HTTPS Boot that allows computers to boot an OS image from a web server over the network or the internet.

HTTPS Boot is an improvement over the older PXE network boot that has existed in BIOS for decades and which is often used by IT teams to remotely deploy customised and updated OS images to computers on their networks.

Compared to BIOSConnect, HTTPS Boot allows users to configure a specific CA they decide to trust. Because any certificate issued by that CA will be trusted, not just the one for the specific boot server, the Eclypsium researchers advise against using a public CA like those operated by commercial certificate providers, cloud services or web hosting companies.

Buffer overflows enable UEFI code execution

In addition to the two certificate validation issues, Eclypsium identified three buffer overflow vulnerabilities in the file and code parsing of the BIOSConnect recovery and firmware update processes.

By exploiting these vulnerabilities, which will be presented in more detail at DEF CON, attackers can execute malicious code inside the UEFI and gain deep persistence on the device, interfere with the OS booting process and disable security features.

The researchers tell CSO that if the device does not have Secure Boot, a feature meant to cryptographically validate all code loaded inside the UEFI, as well as the OS bootloader, the buffer overflow vulnerabilities are not needed to launch an attack.

By simply exploiting the certificate validation issue, a MitM attacker can serve a malicious EFI executable that will be executed by the firmware during the recovery or update process.

However, if the device does have Secure Boot turned on, then this feature can be bypassed to achieve arbitrary code execution in the UEFI context by exploiting one of the three buffer overflow vulnerabilities. Two of them are located in the recovery process and one in the firmware update process.

One limitation of these attacks is that they require user interaction. Technically, for BIOSConnect to be used, the user must press F12 after a system reboot to open a special boot menu and choose either the OS Recovery or firmware update options. However, the Eclypsium researchers are currently investigating a potential scenario where the OS Recovery might start automatically.

The vulnerabilities were discovered and tested on a secured-core Latitude 5310 with Secure Boot turned on. Secured-core PCs are business computers built by OEMs according to a set of strict requirements by Microsoft designed to offer higher security assurances, including defences against firmware-level attacks. They combine integrated hardware, firmware, software, and identity protection.

According to the Eclypsium researchers, Dell has confirmed that 128 of its PC models use the vulnerable BIOSConnect feature, an estimated 30 to 40 million devices.

Given how these vulnerabilities work, it's unlikely that these devices will be targeted en masse in some widespread campaign, but the flaws are definitely usable in targeted attack scenarios against one or more organisations.