Eclypsium researchers said the issues discovered this time affected 129 Dell consumer and business laptops, desktops, and tablets. According to statistics, about 30 million personal devices have been affected. According to its security report, the vulnerability is divided into one vulnerability (CVE-2021-21571) that causes an insecure TLS connection from BIOS to Dell and three overflow vulnerabilities (CVE-2021-21572, CVE-2021-21573, CVE-2021-21574).
Among the overflow vulnerabilities, two affect the operating system recovery process, and the other affects the firmware update process. And these three vulnerabilities are independent of each other, each of which can lead to arbitrary code execution in the BIOS. Currently, CVE-2021-21573 and CVE-2021-21574 have been resolved on the server-side on May 28, 2021, while the CVE-2021-21571 and CVE-2021-21572 vulnerabilities need to update the Dell client BIOS.
In addition, the researchers also recommend that users do not use BIOSConnect to update their BIOS, and users who cannot update the system immediately can disable BIOSConnect from the BIOS settings page or use Dell Command | and configure (DCC) remote system management tools.