![\"\"](\"\/wp-content\/uploads\/2022\/10\/patch-watch-3.jpg\")
<\/p>\nOn June 24, 2021, Dell released fixes for four BIOS connect vulnerabilities that expose over 30 million individual devices. These security flaws could allow unauthorized remote code execution in a pre-boot environment for 129 different Dell products by giving a high-level control of the operating systems (OS).<\/p>\n
<\/p>\n
We examined the recently patched Dell vulnerabilities and here are our findings –<\/p>\n
Three of the Dell vulnerabilities are Remote Code Execution possibilities and one is Denial of Service.<\/p>\n<\/li>\n
Successful exploitation of these Dell BIOSConnect and HTTPS Boot features could potentially lead to a supply chain attack leading to complete control of the system by attackers.<\/p>\n<\/li>\n
Three CVEs are rated high and one of medium severity.<\/p>\n<\/li>\n
The CVSS V3 score assigned to these vulnerabilities ranges from 5.9 (medium) to 7.2 (high).<\/p>\n<\/li>\n
This series of vulnerabilities lead to Improper Certificate Validation and Buffer Overflow classified under CWE-295, CWE-122, and CWE-121.<\/p>\n<\/li>\n
A patch is available for these vulnerabilities, which reduces the risk posed by threat actors.<\/p>\n<\/li>\n
Yet, there are no publicly known exploits for these CVEs.<\/p>\n<\/li>\n
All the popular scanners failed to detect these four vulnerabilities.<\/p>\n<\/li>\n<\/ol>\n
It\u2019s worth noting that these vulnerabilities were discovered on March 2, 2021, and it took 118 days to develop a patch for these issues. Therefore, Organizations should continuously work to fix the issues in their product and quickly provide users with either a significant update to the version or a patch.<\/p>\n![\"\"](\"\/wp-content\/uploads\/2022\/10\/patch-watch-2.png\")
<\/strong><\/p>\nTimeline<\/h2>\n
\n\n
\n Date<\/strong><\/td>\n Description<\/strong><\/td>\n<\/tr>\n \n March 2, 2021<\/td>\n Eclypsium discovered four vulnerabilities in Dell.<\/td>\n<\/tr>\n \n March 3, 2021<\/td>\n Dell acknowledged the vulnerabilities.<\/td>\n<\/tr>\n \n June 18, 2021<\/td>\n Dell remediated two of the issues and published the advisory.<\/td>\n<\/tr>\n \n June 24, 2021<\/td>\n Dell issued an enhanced update to all four issues.<\/td>\n<\/tr>\n \n June 24, 2021<\/td>\n Vulnerabilities updated in NVD Database.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n ![\"\"](\"\/wp-content\/uploads\/2022\/10\/patch-watch-1.png\")
<\/p>\n