Announcement

**numacross** · 24 June 2021, 12:29 PM

When attempting to connect to the backend Dell HTTP server, the TLS connection from BIOSConnect will accept any valid wildcard certificate.
[...]
The process of verifying the certificate for dell.com is done by first retrieving the DNS record from the hard-coded server 8.8.8.8 (Google)
[...]

Yup, great security practices here.

Fortunately their BIOS updates are both non-invasive (setting preservation is guaranteed) and universal (fwupd + the .exe works in Windows, the pre-boot built-in updater and, for older models, FreeDOS), so mass updates are feasible. Too bad the updater itself has been found insecure as well

**david-nk** · 24 June 2021, 12:44 PM

So can this be exploited arbitrarily or does the user actually have to manually initiate something, like a firmware update?

**uid313** · 24 June 2021, 01:35 PM

This LVFS/FWUPD is great!
They should port it to Windows!

**Adarion** · 24 June 2021, 01:54 PM

As far as I know W32 already has this kind of mechanism and they bricked several machines by installing the wrong FW updates on patchday.

BIOS connect sounds bad by itself... it should be patched out. I understand that admins don't want to do too much sports these days, but all this remote stuff on lowest level... uuh, can end pretty bad.

**tildearrow** · 24 June 2021, 02:49 PM

Originally posted by 144Hz View Post

uid313 Send your regards to the Gnome guy who did the work.

OK please tell me. What does this have to do with the article?

Troll.

**stormcrow** · 24 June 2021, 02:54 PM

TL;DR version or if your system isn't one of the listed systems: You should still look to see if "BIOSConnect" is an option in your BIOS setup screen and disable it if you haven't already. Just because your system isn't listed doesn't mean it's not vulnerable, just means it's likely not going to get an update.

**tildearrow** · 24 June 2021, 02:57 PM

Originally posted by 144Hz View Post

tildearrow It’s a comment on a comment. Don’t like that? Then don’t do comment on a comment on a comment.

Troll-troll.

It's an off-topic comment on an on-topic comment. Don't like being pointed out? Then don't do Phoronix owner roleplay on a comment on an off-topic comment on an on-topic comment.

Troll-troll-troll. Let's go back on topic; no more posts from you from this point onward.

Wait a moment, the darn firmware has 8.8.8.8 HARD-coded into it?!

You got to be kidding! Why not Cloudflare DNS instead or ANYTHING that is not Google?!

**CochainComplex** · 24 June 2021, 03:16 PM

Hardcoded google DNS. Great ...should we look for android vulnerabilities on dell devices too? During firmware boot is there any homephoning or network traffic known?

**Teggs** · 24 June 2021, 04:49 PM

I found this extremely amusing! But then I considered Dell's customers. The average user wouldn't understand word one of this article. They pay Dell to keep this kind of problem away from them, not cause it to occur.

Originally posted by CochainComplex View Post

Hardcoded google DNS. Great ...should we look for android vulnerabilities on dell devices too? During firmware boot is there any homephoning or network traffic known?

Do you think some money changed hands, or it was just convenient for Dell employees?

Announcement

Dell BIOS/UEFI Under Attack From New Vulnerabilities - Use FWUPD For The Latest Updates

Dell BIOS/UEFI Under Attack From New Vulnerabilities - Use FWUPD For The Latest Updates

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment