If you have a Dell laptop, desktop or a tablet, chances are that it might have severe security vulnerabilities. Dell has confirmed this and even released a security update to fix the flaw. The flaws were discovered by security research firm Eclypsium in the BIOSConnect feature in Dell laptops.
The issue affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs. “Our research has identified a series of four vulnerabilities that would enable a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines,” says the security research firm in a press release.
The vulnerabilities, as per the security research firm, were found on March 2. The firm immediately notified Dell on March 3. “These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/ firmware layers and breaking OS-level security controls,” the research firm says.
Almost every Dell series of computers have been affected. Dell has published the list of all the affected models, which include Dell Inspiron, Latitude, Optiplex and Precision series among others.
Dell, on the other hand, has released a security patch to fix the flaws but users will have to update it manually. “Dell recommends all customers update to the latest Dell Client BIOS version at the earliest opportunity,” the company said on its support page.
Eclypsium explained how these flaws could give hackers control of devices. “The specific vulnerabilities covered here allow an attacker to remotely exploit the UEFI firmware of a host and gain control over the most privileged code on the device. This combination of remote exploitability and high privileges will likely make remote update functionality an alluring target for attackers in the future, and organizations should make sure to monitor and update their devices accordingly,” the firm explained.