Microsoft and Eclypsium got into serious debate over Dell SupportAssist vulnerabilities
Debates about the recently disclosed vulnerabilities in Dell SupportAssist still continue, although the vulnerabilities have already been fixed, as the information security company Eclypsium sharply reacted to Microsoft’s notification about this issue.
These are four vulnerabilities in the Dell SupportAssist Remote Firmware Update utility that could allow arbitrary code to run on some PCs.The security notice was released last week, and since March 2021 (well before the notice was released) Dell has been working with Eclypsium to fix the issues. All vulnerabilities have been patched since June 24, Dell said. The company also posted a workaround for those unable to immediately install BIOS updates by disabling HTTPS boot and BIOSConnect functionality.
According to Eclypsium, the problem is that attacks even work on PCs with a secure kernel and can affect user data.
According to Eclypsium, Microsoft denied it was possible to bypass the System Guard firmware protection with the published method.
The secure kernel threat model assumes the presence of compromised firmware, as in the case presented here, and therefore the described attack will still be subject to security checks using the firmware protection functions in the secure kernel. Failure to validate System Guard will result in the system failing to pass attestation, and Zero Trust solutions such as Microsoft’s conditional access will block the device from accessing the secure cloud.
The documentation provided by the researchers does not demonstrate how the discovered vulnerabilities can be used to bypass System Guard.Microsoft said.
However, Eclypsium researchers who discovered the vulnerabilities disagree with Microsoft’s statement. According to Eclypsium specialist John Loucaides, the attack works on Dell PCs, including those with a secure core, and affects user data.
As the specialist explained, remote attestation for access to cloud resources is irrelevant and does not in any way prevent the exploitation of vulnerabilities in the UEFI firmware to execute arbitrary code in a pre-boot environment and then access user data.
Indeed, Microsoft seems to be buzzing around the issue, worrying more about the cloud.
The company did not comment on Lucaides’ statement in any way.
Let me remind you that we wrote that Cybersecurity experts discovered the second ever bootkit for UEFI.