Threat Watch

New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems

Five new security vulnerabilities have been found in the Dell BIOS that, if exploited, could lead to code execution on the vulnerable systems. Exploitation of these vulnerabilities is undetectable by remote device health attestation solutions due to the limitations in visibility of the firmware runtime, making exploitation harder to detect.

All five security vulnerabilities have been rated as an 8.2 out of 10 on the CVSS scoring system and are being tracked as:

  • CVE-2022-24415
  • CVE-2022-24416
  • CVE-2022-24419
  • CVE-2022-24420
  • CVE-2022-24421

All of the flaws relate to an improper input validation affecting the System Management Mode (SMM) of the firmware. Exploitation of these vulnerabilities would allow a local authenticated attacker to leverage the system management interrupt (SMI) to achieve code execution.

Since SMM code is executed at the highest privilege level and is invisible to the operating system, these vulnerabilities could allow an attacker to deploy a persistent firmware implant and maintain access to the system even if its hard drive or operating system is replaced.

ANALYST NOTES

Dell has released firmware updates for its systems to remediate these vulnerabilities. It is highly recommended to update any Dell systems to the latest firmware version as soon as possible to prevent the exploitation of these vulnerabilities. Binarly has released a tool called FwHunt that can help detect if a system is vulnerable to these exploits. It is recommended for users who cannot immediately patch to run this tool against Dell systems to see if they are vulnerable. If so, extra precaution will be required to secure vulnerable systems before they can be patched to fix the issue. While the exploitation of these vulnerabilities may not be detectable due to the nature of how they work, the underlying code execution behavior may be detectable. This would include common behavior that threat actors perform once they have access to a system including command and control beaconing, dumping credentials, laterally moving within an environment, and so on. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these detection needs.

https://thehackernews.com/2022/03/new-dell-bios-bugs-affect-millions-of.html

https://www.dell.com/support/kbdoc/en-us/000197057/dsa-2022-053

https://github.com/binarly-io/FwHunt/blob/main/rules/AMI/BRLY-2021-043.yml