Five new BIOS security weaknesses have been discovered in the BIOS used by Dell in many of its Alienware, Inspiron and Latitude products. The vulnerabilities, collated by The Hacker News and partly discovered by security firm Binarly, could allow an attacker to execute potentially damaging code.
Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the highest severity level is 8.2, or High, on the National Vulnerability Database’s scale.
Models with the vulnerability include Alienware 13, 15 and 17 laptops, Edge Gateway 3000 and 5000 servers, Inspiron laptops and all-in-ones, Vostro laptops and desktops, Embedded Box PCs 3000 and 5000, the Wyse 7040 Thin Client, and XPS 8930 desktops. A complete list is available from the Dell support website, along with links to firmware updates.
The exploits all take advantage of the x86 microcontroller’s System Management Mode, which usually looks after things like power management and temperature. Its code, which is usually proprietary and manufacturer-developed, runs at the highest privilege level and is invisible to both the operating system and the TPM chip, if installed. This makes it ripe for exploitation, and can be used to deploy a firmware-based rootkit. However, it’s worth noting that a malicious user has to be locally authenticated to begin the attack, meaning physical access to the PC is required.
The BIOS, as Binarly explains, is a complex thing, and it’s difficult to close all the holes that could be used for an attack: "These failures are a direct consequence of the complexity of the codebase or support for legacy components that get less security attention, but are still widely deployed in the field. In many cases, the same vulnerability can be fixed over multiple iterations, and still, the complexity of the attack surface leaves open gaps for malicious exploitation.
“The majority of enterprise tools available for source code analysis are not suitable for pinpointing firmware-specific security defects,” Binarly continues. “There are multiple reasons, one of the most obvious being the differences in implementations of the memory management functions compared to the non-firmware-specific software. This leads to a false sense of security when no vulnerabilities are detected at source code level.”
Dell recommends downloading a BIOS update for affected computers immediately. Binarly commended Dell for its fast response to the situation, writing: “It took about three months from the issue reporting to the patch release, when the usual timeline with other vendors is close to six months.”