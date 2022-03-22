Registered as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420 and CVE-2022-24421, the high severity vulnerabilities they have a rating of 8.2 out of 10 on the Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of computer system security vulnerabilities.

The information has been released by Binarly, a company specialized in protecting devices from emerging firmware and hardware threats using modern artificial intelligence, after working together with the brand to resolve these vulnerabilities by coordinating the application of patches to code execution vulnerabilities. of the Dell BIOS.

The description of these five vulnerabilities is as follows: «The Dell BIOS contains an incorrect input validation vulnerability. A locally authenticated malicious user can potentially exploit this vulnerability by using a system management interrupt (SMI) to obtain the arbitrary code execution during system administration (SMM)”.

In essence, they are based on the AMI UsbRt attack vector, which is widespread in the industry and exposes massive attack surfaces on corporate networks. The UsbRt vulnerability was first discovered in 2016 and was named Aptiocalypsis. However, due to the complexity of the code, multiple variants of the bug were later discovered.

AMI stated that it “resolved and closed this security issue several years ago”, but these new indications show that it is still in the BIOS, so the Binarly team recommends removing the UsbRt component from future UEFI firmware updates to reduce the footprint. attack. Due to the complexity of the code in this component, it is difficult to maintain this code and absorb an acceptable security risk from running arbitrary code in System Management Mode (SMM).

System management mode refers to a special purpose CPU mode on x86 microcontrollers that is designed to handle system-wide functions such as power management, system hardware control, thermal monitoring, and other manufacturer-developed code owner.

Affected Dell Products and Correction

From the manufacturer, of which at least Binarly acknowledges that “about three months passed from when the problem was reported until the patch was released, when the usual schedule with other providers is almost six months”, they have recommended updating the BIOS of all clients as soon as possible.

The full list of affected computers is a mix of Dell products including Alienware, Inspiron, Vostro, and Edge Gateway 3000 Series: