Five new vulnerabilities have been found in Dell BIOS; if the vulnerabilities are successfully exploited, the systems can have codes executed remotely. The Dell vulnerability is another firmware vulnerability recently uncovered in Insyde Software’s InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).
The vulnerabilities tracked CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, score 8.2 out of 10 on the CVSS.
“The active exploitation of all the discovered vulnerabilities can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement,” firmware security company Binarly, which discovered the latter three flaws, said in a write-up.
“The remote device health attestation solutions will not detect the affected systems due to the design limitations invisibility of the firmware runtime.”
All the flaws are linked to incorrect input validation vulnerability impacting the System Management Mode (SMM) of the firmware. The vulnerability allows an unauthorized attacker to use the System management interrupt (SMI) for arbitrary code execution.
System Management Mode means a special-purpose CPU mode in x86 microcontrollers that handle system-wide functions like power management, system hardware control, thermal monitoring, and other proprietary manufacturer-developed code.
When one of these operations need to be carried out, a non-maskable (SMI) executes SMM code installed by the BIOS. The SMM code is executed with the highest privilege and is invisible to the operating system underneath. The invisibility makes it vulnerable to deploying persistent firmware implants.
Several Dell products like Alienware, Inspiron, Vostro, and Edge Gateway 3000 Series are affected. Dell has recommended customers update BIOS as soon as possible.
“The ongoing discovery of these vulnerabilities demonstrate what we describe as ‘repeatable failures’ around the lack of input sanitation or, in general, insecure coding practices,” Binarly researchers said.
“These failures are a direct consequence of the complexity of the codebase or support for legacy components that get less security attention, but are still widely deployed in the field. In many cases, the same vulnerability can be fixed over multiple iterations, and still, the complexity of the attack surface leaves open gaps for malicious exploitation.”