Episode 123: Over 30 Million Dell Devices at Risk for Remote BIOS Attacks

Over 30 million Dell devices are at risk for remote BIOS attacks due to four separate security bugs, which can have far reaching effects for enterprise organizations heavily invested in Dell devices. VMware Carbon Black App Control has been updated this week to fix a critical-severity vulnerability that allows authentication bypass. Antivirus creator John McAffee dies in a Spanish jail, and a bug found by a security researcher in Atlassian’s authentication could have led to a supply chain attack. A security update is planned for Google Drive that could break shared links. And a number of organizations were affected by security breaches, including the city of Tulsa, Oklahoma.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.

0:22Dell Bios Attacks RCE
3:24Vmware Carbonblack app control critical auth bypass
4:48John McAfee dies
8:37Atlassian Bug Could Have Led to 1-Click Takeover
10:05A Google Drive security update will break some of your shared links
11:10Breaches and Ransomware attacks this week
13:37New Features added to Fast or Slow
14:59 – Your Weekly Browser update reminder – Nothing this week

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 123 Transcript

Ram Gall:
Welcome to Think Like A Hacker, the podcast about WordPress security and innovation. I am Ram Gall, threat analysts at Wordfence And with me is director of marketing, Kathy Zant.

Kathy Zant:
Here I am. It has been a crazy week, huh?

Ram Gall:
Yes, it has. It’s weird because a lot of these aren’t really getting a lot of high profile attention yet, but we’ve got a number of fairly concerning news items.

Kathy Zant:
We do. What’s going on with this Dell BIOS attack?

Ram Gall:
So this one kind of stood out to me. I’ve honestly never worked a corporate job that didn’t use Dell machines. I’ve never seen a corporate job that didn’t use Dell machines, but it looks like there’s a set of exploits that allows attackers to basically impersonate a Dell when the Dell machine does BIOS updates and use any sort of valid wildcard TLS certificate will pass the check. So once they have that, there’s a number of overflow exploits that attackers can do to basically deliver a fake BIOS to update to Dell machines. It’s estimated that 30 million individual Dell endpoints worldwide are impacted.

Kathy Zant:
That’s a lot.

Ram Gall:
Yeah. Yeah, it is kind of a lot. So the good news is that it apparently takes a privileged position on the network, apparently. So the DNS server that the BIOS update checker uses is hard coded to 8, 8, 8, 8, which is Google’s. So you can’t just futz with a host file, but if the attacker has a way to take over the office firewall or the VPN connection the computer is using, and there’ve been a ton of VPN exploits this year, I could see that maybe they could use that. Anyways. The thing is that the BIOS is literally the highest level of privileges you can get, and that would give the attacker ongoing persistence and also be really hard to detect.

Kathy Zant:
Oh, wow. This is kind of crazy because Dell machines are something that’s used in a lot of enterprise installations, whether it’s a desktop or servers or it’s kind of everywhere in large organizations.

Ram Gall:
I’ve never seen a corporate job that didn’t use Dell machines almost exclusively, except for the people that specifically requested something else.

Kathy Zant:
Right. Right. So the impact that this could have with 30 million individual Dell endpoints could be quite large. So once again, we’re seeing an instance where our friends in security operations are going to be busy, stressed out, scared.

Ram Gall:
Yeah. And I mean, the good news is that this is not necessarily trivial to exploit. The attacker does have to get themselves a privileged position on the network between the Dell endpoint and the Dell BIOS update servers. Nonetheless, Dell is starting to push out patches for BIOS and all of the effected systems. And it looks most of them are scheduled for Thursday, June 24th. And they’ve got a few others following up in July.

Kathy Zant:
Wow. Now this doesn’t look, we’re not seeing indications that this is under any active attacks in the wild. This is just a vulnerability that’s been discovered that needs to get patched?

Ram Gall:
Correct. And again, that’s sort of the good news is, that none of the news today is really zero days.

Kathy Zant:
Yay. For a change.

Ram Gall:
Yeah. I should have led with that, but keep the dramatic tension and all of that. But speaking of dramatic tension, I feel like the VMware Carbonblack app control one is even worth. So Carbonblack app control is something that a lot of enterprises use to lock down systems. And basically only allows certain programs to run, which is generally a recommended way of doing things and preventing stuff like ransomware from running on your machine. So turns out that the app control server itself could be accessed without authentication and taken over as, basically, attackers could gain admin on the app control server without authentication, if they had any ability to reach it at all. And, I mean, most of these are on internal networks, but if all an attacker has to do is get a low privilege and internal network account, which is not that hard to do and then they could use that to take over the app control server. And then they could use that to pivot, to taking over everything else.

Kathy Zant:
Yikes. Okay. But it looks like there are hot fixes available for this so that anybody who’s using this app controls server can patch things.

Ram Gall:
Well, yes, that is the good news. There’s no workarounds, but all you have to do is install the hotfix 8.1.X, 8.0.X, have hotfixes. You can also update to version 8.6.2 or 8.5.8.

Kathy Zant:
Excellent. There’s lots of numbers there. We’ll have a link in the show notes if this is something that affects you, check that out. In our next story, this one is the dramatic story, I think, of the week. John McAfee-

Ram Gall:
Who likes dramatic things a lot. He liked to be dramatic a lot. And yeah, it seems like he succeeded.

Kathy Zant:
What do you even say about this guy? He has been a character in the security world, in the cryptocurrency world, in the world at large. He has been a larger than life character, someone who has definitely pushed the envelope in a lot of ways. John McAfee died this week.

Ram Gall:
Yeah. I don’t think anyone could really say he was a good guy, but he was definitely an interesting guy.

Kathy Zant:
He was definitely an interesting individual. He was fascinating, not somebody I followed closely, but there was always something popping of John McAfee said or did something completely and totally insane.

Ram Gall:
What wild thing did he do this time? Did he go swimming with the sharks to prove a point against some made up arch-nemesis?

Kathy Zant:
With guns? It was always something crazy like that, that he did. Okay. So, McAfee Software, McAfee Antivirus, named after John McAfee was eventually bought by, I think Intuit. So he created the software, it bears his name, but he hasn’t for a very long time been involved with McAfee Antivirus software.

Ram Gall:
And they are very glad about that.

Kathy Zant:
Probably, yes. No, he had been in a Spanish prison for a year. And then on Wednesday of this week, it was announced that he was going to be extradited to the United States because of some charges they had against him, tax evasion or something like that. And that day, the day that they said they were extraditing him, he was found dead in his cell from an alleged apparent suicide. Recession attempts failed to revive him. I immediately, what did you post in the Water Cooler channel that there was a 20% chance that you thought he faked his own death.

Ram Gall:
He died as he lived, under questionable circumstances.

Kathy Zant:
That he did. And so obviously he’s such an interesting character.

Ram Gall:
I don’t want to do conspiracy mongering, though. He was a weird guy.

Kathy Zant:
He was. Now Scott Adams, the Dilbert creator, posted on his Twitter, I thought this was hilarious. If ever there was a man who could fake his own death and Bitcoin bribe his way out of foreign prison, it would be John McAfee. Not saying it happened. Not saying it didn’t. Definitely very odd.

Ram Gall:
I mean, I also take anything Scott Adams says with several grains or shakers full of salt, but if there was ever a man who would at least try to do that, yes, John McAfee would absolutely attempt to do that.

Kathy Zant:
Yeah, definitely. I thought it was … who knows. We may find out in 10 years that he’s living in Argentina or something like that and died a slow peaceful death, but-

Ram Gall:
No, no. He will not, no matter what, slow and peaceful is not something that would describe anything that he would have done.

Kathy Zant:
Yeah. You’re probably right there. So anyway, this is more just security entertainment news.

Ram Gall:
Celebrity gossip news, basically.

Kathy Zant:
In the security world. Yeah. Yeah. I mean, definitely something interesting. But let’s get back to somethings that really do affect people. It looks like Atlassian had a bug that could have led to a one-click takeover. One-click basically means, what? That somebody has to actually click on something in order to make something happen?

Ram Gall:
So it looks like there’s actually, basically a series of bugs, including a number, it looks like, cross-site scripting and poor site origin control. But basically, it looks like it might’ve been possible to socially engineer someone with a Atlassian account, JIRA confluence support training, socially engineer someone with an Atlassian account and take over their account. And just like Dell, Atlassian is used by a lot of really big organizations. So depending on whose account you took over, if you just took over an account at one of those organizations, then that’d be one thing. But if you actually took over an account at Atlassian, you could definitely have used that for some sort of a supply chain attack.

Kathy Zant:
Definitely. Because so many other companies are using Atlassian products like JIRA, I hear about all the time. If somebody with the right privileges got in there and was able to take over some of these accounts, it could have wide ranging effects. Now, this was a bug that was fixed, it was not exploited in the wild, correct?

Ram Gall:
Yes. Again, the good news is that as far as we know, none of these are zero days.

Kathy Zant:
Yay. That’s always good news. Now Google announced yesterday on June 23rd, that a security update is possibly going to break some shared links. If you’re using Google Drive and sharing the links to documents within Google Drive, they’re going to be applying a security update and it will increase the security of your shared documents and break some of these shared links. Now, this isn’t rolling out until September 13th, 2021, but it’s something we just wanted to make you aware of. If you haven’t gotten a notification yet from Google that your Drive is affected, you probably will get one sometime over the next few weeks. If you are using Google Drive documents in any kind of public way, this is something that you’ll need to look into just in order to make sure that people don’t get thrown into the world of being blocked by the security update.

Ram Gall:
Yep. It looks like they’re basically adding an access key that’s required in order to access links that you haven’t accessed in the past. So, and now onto our breaches this week. This is where we actually have more breaches than usual not more than usual, we just have the usual numbers. So it’s been a slow week apart from the McAfee thing and as far as actual critical stuff.

Kathy Zant:
Which is good. We need a break from Chrome zero days. Don’t we?

Ram Gall:
We do. Looks like Wolfe Eye Clinic, which is based in Iowa, is now in the process of notifying the 500,000 individuals whose personal data has been exposed in a data breach.

Kathy Zant:
Oh, fun. 500,000 people in Iowa who went to Wolfe Eye Clinic. Wow. So if you’re in Iowa and you have used of their services, something for you to look into to see if you have been affected. Also looks like Wegmans Food Markets, which is a grocery store chain in the Northeast that has really awesome, private label types of things. I enjoyed shopping there when I spent some time in upstate New York. So they have suffered a data breach and these were due to misconfigured databases.

Ram Gall:
And that sounds like an open S3 bucket or something.

Kathy Zant:
Yeah. Yeah. We’ve seen things like that before. So this may affect you if you’re a Wegman’s customer. What else do we have?

Ram Gall:
Well, Revil has struck again. And this time they have hit a Brazilian medical diagnostics company called Grupo Fleury.

Kathy Zant:
Okay. Revil. They’ve been busy, huh?

Ram Gall:
They have been busy.

Kathy Zant:
This has been the year of Revil. It looks like the city of Tulsa also had a ransomware attack and attackers have published police citations, including personally identifiable information. The Conti ransomware gang claimed responsibility and published, wow, almost 19,000 of city files. So, that is definitely going to affect a big percentage of the people in Tulsa, it looks like.

Ram Gall:
Yeah, definitely. Apparently they got hit in May, but the attackers actually started publishing and leaking the internal documents, which is fast becoming a much more prevalent tactic for ransomware attackers. They’ll encrypt the files, but most people have backups these days. So it’s much more a case of sharing internal secrets.

Kathy Zant:
Interesting. Okay. Well, if you’re in Tulsa, something to look into for you as well. We did a live stream earlier this week and we talked about core web vitals and performance monitoring because we have some new features that we’ve added to our measurement tool called Fast or Slow, that you can reach at fastorslow.com. So we just added some new features including free uptime monitoring, which is pretty incredible. Free performance monitoring and we also added to metrics to look at core web vitals, which is going to become a ranking factor starting in August 2021.

Kathy Zant:
Which means that Google will look at your core web vitals, your scores for these three metrics to see how you’re performing. And that will sort of feed into how you show up in the search engine result pages. So we invite you to go take a look at that episode on YouTube because we walked through all of those different metrics, what they mean, how they’re measured and basically give you some quick tours on how to set up that free uptime and performance monitoring at Fast or Slow. So go check that out. Also go check out Fast or Slow because some of those new enhancements are pretty cool.

Ram Gall:
It’s free. It’s awesome. And it does a lot of things that, until extremely recently, tended to be very expensive.

Kathy Zant:
Yes, definitely. So definitely go check out Fast or Slow. Do I need to update my browser this week?

Ram Gall:
We’re recording on Thursday, June 24th. As of yet, there’s no Chrome zero days this week. No Safari zero days. No Firefox zero days that we know of. But stay tuned that might pop up in the next day or two. Anyways, if you see a browser update, just hit update. If you see a OS update, no OS zero days, either. So this is the week that we don’t have any zero days that anyone has made public, as far as we know. But that doesn’t mean you shouldn’t update if you see updates available. So stay updated.

Kathy Zant:
Okay. Well, I’m updated. I hope you are too. And we will talk to you again next week. Bye.

Ram Gall:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 123: Over 30 Million Dell Devices at Risk for Remote BIOS Attacks appeared first on Wordfence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Tap To Call