- Home
- Alerts & Advisories
- Alerts
- Multiple Vulnerabilities in Dell's BIOSConnect and HTTPS Boot
Alerts
Multiple Vulnerabilities in Dell's BIOSConnect and HTTPS Boot
25 June 2021
Dell has released security patches to address multiple vulnerabilities affecting the BIOSConnect and HTTPS Boot features. BIOSConnect is a feature in Dell computers that enables users to perform firmware updates over the internet while the HTTPS Boot feature is an extension to the Unified Extensible Firmware Interface (UEFI) HTTP Boot specifications to boot from a HTTP(S) Server.
The vulnerabilities are:
CVE-2021-21571 - An improper certificate validation vulnerability exists in Dell's UEFI BIOS https stack, which is used by the Dell BIOSConnect and HTTPS Boot features. Successful exploitation by a remote unauthenticated attacker using a person-in-the-middle attack could lead to a denial of service and payload tampering.
CVE-2021-21572 - A buffer overflow vulnerability exists in Dell’s BIOSConnect feature. An authenticated malicious admin user with local access to the system could exploit this vulnerability to run arbitrary code and bypass UEFI restrictions.
The list of affected products can be found here.
Users and administrators of the affected products who typically use BIOSConnect to update the BIOS are advised to use alternative methods to apply the BIOS updates, such as:
Use one of the Dell notification solutions to be notified and download BIOS updates automatically once available.
Download the update via Dell's Drivers and Downloads site for the applicable products.
Flash the BIOS from the F12 One-Time Boot Menu.
For users and administrators who are unable to apply the BIOS updates immediately, Dell has provided interim mitigation measures to disable the BIOSConnect and HTTPS Boot features.
More information is available here: