Dell Computer Corporation, Inc. Information for VU#552286

UEFI EDK2 Capsule Update vulnerabilities

Status

Affected

Vendor Statement

The security of our systems and customer information is a top priority for Dell. Dell is aware of the recent security concerns that MITRE published, and is reviewing these claims against our products. Dell will take appropriate action to resolve any security related issues found on our products and provide updates to our customers.

    The vulnerability outlined by MITRE is not a Dell specific issue, but instead is a larger industry issue. An exploit of this vulnerability would have to be executed on a UEFI installed OS and executed under administrative privileges with driver-level access. Dell recommends that our customers use best security practices and lock down system admin modes as a standard part of their security process.

    BIOS Details

    Client Solutions (CS) commercial platforms do not use the UEFI code described in the MITRE vulnerability report during any BIOS or firmware update. The code exists in some client systems in a dormant state and may be discovered through binary analysis. Updated BIOS code has been developed to further quarantine this code during the boot process to mitigate any potential for indirect exploit. A list of BIOS update patches is included below for planning purposes and BIOS revisions are included (subject to change):


    Dell SystemBIOS UpdateRelease Planned
    Latitude 13 (3340)A03Oct-14
    Latitude 6430UA09Oct-14
    Latitude E5440/E5540A09Nov-14
    Latitude E5530/E5430A15Oct-14
    Latitude E6230/E6330/E6430SA14Oct-14
    Latitude E6530A16Oct-14
    Latitude E6430A16Oct-14
    Latitude E6440A09Nov-14
    Latitude E6540A12Nov-14
    Latitude E7240/E7440A12Nov-14
    OptiPlex 3010A13Nov-14
    OptiPlex 3011 AIOA06Oct-14
    OptiPlex 3020A05Oct-14
    OptiPlex 7010/9010A19Oct-14
    OptiPlex 7020/9020A08Oct-14
    OptiPlex 9010 AIOA16Oct-14
    OptiPlex 9020 AIOA09Oct-14
    Precision Mobile Workstation M4700A13Oct-14
    Precision Mobile Workstation M6700A14Oct-14
    Precision Workstation R7610A08Nov-14
    Precision Workstation T1650A18Nov-14
    Precision Workstation T1700A11Oct-14
    Precision Workstation T3610/T5610/T7610A09Nov-14
    Precision Workstation M6800/M4800A11Nov-14
    PowerEdge Server T20A06Nov-14
    Venue 11 Pro (5130-32Bit)A09Oct-14
    Venue 11 Pro (5130-64Bit)A02Oct-14
    Venue 11 Pro (7130/7139)A13Oct-14
    Venue 8 Pro (5830)A09Oct-14

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    None

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.