Multiple Vulnerabilities in Dell's BIOSConnect and HTTPS Boot

Published on 25 Jun 2021

Updated on 25 Jun 2021

Dell has released security patches to address multiple vulnerabilities affecting the BIOSConnect and HTTPS Boot features. BIOSConnect is a feature in Dell computers that enables users to perform firmware updates over the internet while the HTTPS Boot feature is an extension to the Unified Extensible Firmware Interface (UEFI) HTTP Boot specifications to boot from a HTTP(S) Server.

The vulnerabilities are:
CVE-2021-21571 - An improper certificate validation vulnerability exists in Dell's UEFI BIOS https stack, which is used by the Dell BIOSConnect and HTTPS Boot features. Successful exploitation by a remote unauthenticated attacker using a person-in-the-middle attack could lead to a denial of service and payload tampering.

CVE-2021-21572 - A buffer overflow vulnerability exists in Dell’s BIOSConnect feature. An authenticated malicious admin user with local access to the system could exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.

The list of affected products can be found here.

Users and administrators of the affected products who typically use BIOSConnect to update the BIOS are advised to use alternative methods to apply the BIOS updates, such as:

For users and administrators who are unable to apply the BIOS updates immediately, Dell has provided interim mitigation measures to disable the BIOSConnect and HTTPS Boot features.

More information is available here:
https://www.bleepingcomputer.com/news/security/dell-supportassist-bugs-put-over-30-million-pcs-at-risk/
https://www.dell.com/support/kbdoc/en-sg/000188682/dsa-2021-106-dell-client-platform-security-update-for-multiple-vulnerabilities-in-the-supportassist-biosconnect-feature-and-https-boot-feature
https://www.dell.com/support/kbdoc/en-si/000139419/support-notifications-overview-and-common-questions