Faulty update mechanism puts millions of Dell devices at risk

News
By published

Dell has already released remediation to neutralize the threat

Scammers
(Image credit: Pixabay)

Cybersecurity researchers have discovered four critical vulnerabilities in the pre-boot environment of Dell devices that exposes them to remote code execution attacks.

Security vendor Eclypsium reports that the vulnerabilities in Dell's BIOSConnect tool affect well over a hundred Dell device models including both consumers and business desktops, laptops, and tablets.

BIOSConnect is the firmware updates and remote operating system recovery tool feature that is part of the SupportAssist support tool that comes bundled with Dell computers.

“Our research has identified a series of four vulnerabilities that would enable a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines,” reads the report from Eclypsium.

Dell has already put out patches to mitigate the vulnerabilities.

Alluring target

According to Threatpost the bugs allow threat actors to circumvent the Secure Boot protections of the Dell devices, control its boot process, and subvert the operating system and higher-layer security controls.

The core vulnerability involves an insecure TLS connection between Dell and the BIOS on their devices. The report explains that thanks to the bug, the BIOSConnect TLS connection will accept "any valid wildcard certificate."

This, the researchers note, effectively allows attackers to impersonate Dell and deliver any malicious content to the victim’s device.

The other three vulnerabilities are buffer overflow vulnerabilities, which are enabled by the exploited insecure TLS connection, and allow arbitrary code execution at the BIOS/Unified Extensible Firmware Interface (UEFI) level. 

Eclypsium believes that the Dell vulnerabilities show that as vendors increasingly switch to over-the-air update processes, any unaddressed vulnerabilities in the mechanism can have serious consequences. 

“This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future,” Eclypsium concludes

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
New UEFI Secure Boot flaw exposes systems to bootkits
Skull and Bones
Experts warn DNA sequencers are vulnerable to bootkit attacks
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Security
Broadcom releases fixes for multiple VMware security flaws
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
Latest in Pro
cybersecurity
What's the right type of web hosting for me?
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
construction
Building in the digital age: why construction’s future depends on scaling jobsite intelligence
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
More about pro
ChatGPT search extension in Chrome.

What is Rawbot? Everything we know about the AI comparison tool

DuckDuckGo AI

What is Duck.ai? Everything we know about DuckDuckGo’s privacy-focused AI chatbot
AMD Instinct MI355X Accelerator

AMD signs huge multi-billion dollar deal with Oracle to build a cluster of 30,000 MI355X AI accelerators
See more latest
Most Popular
AMD Instinct MI355X Accelerator
AMD signs huge multi-billion dollar deal with Oracle to build a cluster of 30,000 MI355X AI accelerators
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Gemma staring at something off-camera in Severance season 2 episode 10
'Everyone is going to be so torn': Severance star Dichen Lachman reacts to the popular Apple TV+ show's most 'intense' season 2 finale event
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited