Microsoft and Eclypsium lock horns over Dell SupportAssist flaws on secured-core PCs

Niggles continue even after problem was quietly fixed

The Dell SupportAssist RCE furore has rumbled on after infosec outfit Eclypsium snapped back at Microsoft's statement on the matter.

The issue is a set of four vulnerabilities in Dell's SupportAssist remote firmware update utility that could have permitted arbitrary code to be run on a variety of PCs.

The advisory was published last week, and Dell had worked with Eclypsium from March, well ahead of the public disclosure. According to Dell, the vulnerabilities were remediated from 24 June and the company published an interim mitigation for those unable to apply BIOS updates immediately by disabling HTTPS Boot and the BIOSConnect feature.

The problem, according to Eclypsium, is that the attack works on secured-core PCs and could impact user data. This is not good – after all, Microsoft trumpets secured-core PCs, replete with secured hardware down to the firmware level, as "the most secure Windows 10 devices out-of-the-box."

And that's without considering the beefed-up baselines likely to form the basis of Windows 11's hardware needs when the wunder-OS ships later this year.

According to Eclypsium, Microsoft denied that its System Guard firmware protection could be dodged through the method published, and told the infosec researcher: "The attack described in the published research circumvents protections provided by secure boot. However, Secured-core PCs go a step further and implement System Guard firmware protection which helps protect sensitive assets stored in virtualization-based security, like credentials, from attacks that take advantage of firmware vulnerabilities to bypass features like secure boot."

The Microsoft statement continued: "The threat model of secured-core assumes a compromised firmware such as the case presented here, and thus the attack as described would still be subject to security verification by the firmware protection features in secured-core. A failure of verification by System Guard would cause the system to fail attestation and Zero Trust solutions like Microsoft's conditional access would then block the device from protected cloud access.

"The documentation provided so far by the researchers do not demonstrate how System Guard could be bypassed using the discovered vulnerabilities."

And that's that. Except, it isn't, according to the flaw finders.

Straw man alert

John Loucaides, veep of R&D at Eclypsium, retorted, "The attack works on Dell PCs including secured-core PCs and affects user data. Microsoft's response is a strawman of our statements in order to divert attention from what we actually said."

"Remote attestation for access to cloud assets is irrelevant and does nothing to prevent exploiting a vulnerability in UEFI firmware to achieve arbitrary code execution in the pre-boot environment and leveraging that to gain access to user data on the device or gain arbitrary code execution once a user logs into the system."

Indeed, Microsoft does seem to be dancing around the issue a little with its worries about the cloud. The Register contacted Redmond to confirm the statement given to Eclypsium and check it fully understood the issue being documented. We were rewarded with a solid "No comment" from the company.

Sean Wright, lead application security SME at Immersive Labs, told The Register that System Guard was indeed "an excellent example of defense in depth."

He did, however, describe an attack as not impossible (although "incredibly unlikely") and pointed out that the tech would "significantly increase the complexity of a successful attack since the attacker would have to sign any modifications with a trusted signature."

He added that "it is important to note that not everyone will be using Windows, many others will be using Linux which may not provide the same levels of protection."

As for the vulnerability itself, Wright praised Eclypsium and Dell for the responsible manner in which the disclosure was made and mitigated. He noted that while the impact was potentially severe, actually exploiting it would be a challenge.

"First," he said, "an attacker would need to be able to intercept the connection from the victim's system and the relevant Dell servers. Since many would likely be using corporate devices, they will also hopefully be using corporate VPN connections. This means all traffic will be encrypted and the attack would need to focus on targeting the corporate's network connections, which significantly raises the complexity.

"Secondly, with many still working from home, attacks such as public wireless hotspots will not be common. In terms of intercepting these connections it would have to likely be a sophisticated and targeted attack."

That said, he also urged users to either apply the updates or mitigations as soon as possible.

"This vulnerability also shows why it is so important that developers follow the correct steps when validating certificates in their software," he said.

"This is a fundamental step in ensuring the security of an TLS connection and not doing so can effectively remove most protections provided by the TLS protocol." ®

Similar topics

Broader topics

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022