Dell Client Platform update for INSYDE UEFI BIOS

Published: 2023-12-01

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-38575
CWE-ID	CWE-119
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software Subscribe	Vostro 5625 Hardware solutions / Firmware Vostro 5515 Hardware solutions / Firmware Vostro 5415 Hardware solutions / Firmware Vostro 3525 Hardware solutions / Firmware Vostro 3515 Hardware solutions / Firmware Vostro 3425 Hardware solutions / Firmware Vostro 3405 Hardware solutions / Firmware Vostro 16 5635 Hardware solutions / Firmware Vostro 15 3535 Hardware solutions / Firmware Vostro 14 3435 Hardware solutions / Firmware Inspiron 7415 2-in-1 Hardware solutions / Firmware Inspiron 7405 2-in-1 Hardware solutions / Firmware Inspiron 5515 Hardware solutions / Firmware Inspiron 5505 Hardware solutions / Firmware Inspiron 5425 Hardware solutions / Firmware Inspiron 5415 Hardware solutions / Firmware Inspiron 5405 Hardware solutions / Firmware Inspiron 3785 Hardware solutions / Firmware Inspiron 3585 Hardware solutions / Firmware Inspiron 3515 Hardware solutions / Firmware Inspiron 3505 Hardware solutions / Firmware Inspiron 16 7635 2-in-1 Hardware solutions / Firmware Inspiron 16 5635 Hardware solutions / Firmware Inspiron 15 3535 Hardware solutions / Firmware Inspiron 15 3525 Hardware solutions / Firmware Inspiron 14 7435 2-in-1 Hardware solutions / Firmware Inspiron 14 7425 2-in-1 Hardware solutions / Firmware Inspiron 14 5435 Hardware solutions / Firmware Dell G5 5505 Hardware solutions / Firmware Dell G15 5525 Hardware solutions / Firmware Dell G15 5515 Hardware solutions / Firmware Alienware m17 R5 AMD Hardware solutions / Firmware Alienware m15 Ryzen Edition R5 Hardware solutions / Firmware Alienware m15 R7 AMD Hardware solutions / Firmware
Vendor	Dell

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Buffer overflow

EUVDB-ID: #VU56490

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38575

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the IScsiHexToBin() function in NetworkPkg/IScsiDxe. A remote attacker with ability to inject data into communication between edk2 and the iSCSI target can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Vostro 5625: before 1.12.1

Vostro 5515: before 1.18.1

Vostro 5415: before 1.18.1

Vostro 3525: before 1.13.0

Vostro 3515: before 1.15.1

Vostro 3425: before 1.13.0

Vostro 3405: before 1.15.1

Vostro 16 5635: before 1.6.1

Vostro 15 3535: before 1.6.0

Vostro 14 3435: before 1.6.0

Inspiron 7415 2-in-1: before 1.18.1

Inspiron 7405 2-in-1: before 1.14.2

Inspiron 5515: before 1.18.1

Inspiron 5505: before 1.13.2

Inspiron 5425: before 1.12.1

Inspiron 5415: before 1.15.0

Inspiron 5405: before 1.13.2

Inspiron 3785: before 1.15.0

Inspiron 3585: before 1.15.0

Inspiron 3515: before 1.15.1

Inspiron 3505: before 1.15.1

Inspiron 16 7635 2-in-1: before 1.6.1

Inspiron 16 5635: before 1.6.1

Inspiron 15 3535: before 1.6.0

Inspiron 15 3525: before 1.13.0

Inspiron 14 7435 2-in-1: before 1.6.1

Inspiron 14 7425 2-in-1: before 1.12.1

Inspiron 14 5435: before 1.6.1

Dell G5 5505: before 1.17.2

Dell G15 5525: before 1.11.1

Dell G15 5515: before 1.14.0

Alienware m17 R5 AMD: before 1.11.1

Alienware m15 Ryzen Edition R5: before 1.15.0

Alienware m15 R7 AMD: before 1.11.1

External links

http://www.dell.com/support/kbdoc/nl-nl/000217230/dsa-2023-322-security-update-for-a-dell-client-platform-insyde-uefi-bios-vulnerability

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.