Fixes have been released for the vulnerabilities, but affected users will have to update their BIOS.<\/b>
\nA major security flaw in Dell\u2019s firmware updating and operating recovery software, BIOSConnect, potentially exposes tens of millions of devices that Dell preinstalled it on. BleepingComputer reported on Thursday that researchers with security firm Eclypsium discovered a flaw in BIOSConnect, which is part of Dell\u2019s standard SupportAssist software and updates the firmware on a computer\u2019s system board, that could allow attackers to remotely execute malicious code. In a report, the researchers wrote that the vulnerability was so severe it could \u201cenable adversaries to control the device\u2019s boot process and subvert the operating system and higher-layer security controls,\u201d which would give them control \u201cover the most privileged code on the device.\u201d There are four separate vulnerabilities, one of which involves insecure connections between a BIOS being updated and Dell\u2019s servers that allow an attacker to redirect the machine to a maliciously modified update package. The remaining three are classified as overflow vulnerabilities. Eclypsium rated the bugs as severe security threats. Dell preinstalled the software on 129 different models of PC and laptop, with Eclypsium estimating around 30 million individual devices potentially vulnerable. According to ZDNet, Eclypsium first notified the manufacturer of the flaws in March 2021. The company has fixed two of the vulnerabilities on the server-side and released a fix for the remaining two, but it requires users to update the BIOS\/UEFI on each device. The Eclypsium researchers recommended in the report that Dell users stop relying on the BIOSConnect software to apply firmware updates. (More info can be found in Dell\u2019s advisory here.) Fortunately, the researchers also noted that the attack would require redirecting a targeted machine\u2019s traffic to servers hosting malware. That makes it unlikely to be used against random Dell users, but when it comes to large enterprises with \u201csupply chain and support infrastructure\u201d that\u2019s of interest to hackers, the researchers wrote the \u201cvirtually unlimited control over a device that this attack can provide makes it worth the effort by the attacker.\u201d As BleepingComputer points out, security researchers have discovered several major flaws in Dell software in recent years, including in SupportAssist. Researcher Bill Demirkapi discovered a remote code execution vulnerability in the update software in 2019, while Dell patched a DLL search-order bug in 2020 that allowed the execution of arbitrary code. Other vulnerabilities have included a remote code execution bug in Dell System Detect in 2015 and a glitch in the DBUtil driver that could allow hackers to take over a machine patched last month.<\/p>\n