Announcement

Collapse
No announcement yet.

Dell BIOS/UEFI Under Attack From New Vulnerabilities - Use FWUPD For The Latest Updates

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dell BIOS/UEFI Under Attack From New Vulnerabilities - Use FWUPD For The Latest Updates

    Phoronix: Dell BIOS/UEFI Under Attack From New Vulnerabilities - Use FWUPD For The Latest Updates

    For those wondering about the recent skyrocketing in LVFS/FWUPD usage for Linux firmware updates, it appears to be attributed to Dell pushing out a massive number of updates with more than one hundred models impacted by newly-disclosed BIOS/UEFI vulnerabilities...

    https://www.phoronix.com/scan.php?pa...isconnect-Vuln

  • #2
    When attempting to connect to the backend Dell HTTP server, the TLS connection from BIOSConnect will accept any valid wildcard certificate.
    [...]
    The process of verifying the certificate for dell.com is done by first retrieving the DNS record from the hard-coded server 8.8.8.8 (Google)
    [...]
    Yup, great security practices here.

    Fortunately their BIOS updates are both non-invasive (setting preservation is guaranteed) and universal (fwupd + the .exe works in Windows, the pre-boot built-in updater and, for older models, FreeDOS), so mass updates are feasible. Too bad the updater itself has been found insecure as well

    Comment


    • #3
      So can this be exploited arbitrarily or does the user actually have to manually initiate something, like a firmware update?
      Last edited by david-nk; 24 June 2021, 12:49 PM.

      Comment


      • #4
        This LVFS/FWUPD is great!
        They should port it to Windows!

        Comment


        • #5
          As far as I know W32 already has this kind of mechanism and they bricked several machines by installing the wrong FW updates on patchday.

          BIOS connect sounds bad by itself... it should be patched out. I understand that admins don't want to do too much sports these days, but all this remote stuff on lowest level... uuh, can end pretty bad.
          Stop TCPA, stupid software patents and corrupt politicians!

          Comment


          • #6
            Originally posted by 144Hz View Post
            uid313 Send your regards to the Gnome guy who did the work.
            OK please tell me. What does this have to do with the article?

            Troll.

            Comment


            • #7
              TL;DR version or if your system isn't one of the listed systems: You should still look to see if "BIOSConnect" is an option in your BIOS setup screen and disable it if you haven't already. Just because your system isn't listed doesn't mean it's not vulnerable, just means it's likely not going to get an update.

              Comment


              • #8
                Originally posted by 144Hz View Post
                tildearrow It’s a comment on a comment. Don’t like that? Then don’t do comment on a comment on a comment.

                Troll-troll.
                It's an off-topic comment on an on-topic comment. Don't like being pointed out? Then don't do Phoronix owner roleplay on a comment on an off-topic comment on an on-topic comment.

                Troll-troll-troll. Let's go back on topic; no more posts from you from this point onward.


                Wait a moment, the darn firmware has 8.8.8.8 HARD-coded into it?!

                You got to be kidding! Why not Cloudflare DNS instead or ANYTHING that is not Google?!
                Last edited by tildearrow; 24 June 2021, 03:10 PM.

                Comment


                • #9
                  Hardcoded google DNS. Great ...should we look for android vulnerabilities on dell devices too? During firmware boot is there any homephoning or network traffic known?

                  Comment


                  • #10
                    I found this extremely amusing! But then I considered Dell's customers. The average user wouldn't understand word one of this article. They pay Dell to keep this kind of problem away from them, not cause it to occur.

                    Originally posted by CochainComplex View Post
                    Hardcoded google DNS. Great ...should we look for android vulnerabilities on dell devices too? During firmware boot is there any homephoning or network traffic known?
                    Do you think some money changed hands, or it was just convenient for Dell employees?

                    Comment

                    Working...
                    X