2 Posts
0
1517
July 5th, 2020 04:00
7405 UEFI bug - Setting a system password is allowed while an admin password is set and settings are locked
While I was setting up security measures on my 7405 2-in-1, I set a system password, which I assumed would prevent anyone from booting into the bios and making any changes. All of the bios settings were disabled except for two - unlock bios (which should be allowed) and system password (which should not).
This means that, on a machine with the admin password set in an attempt to prevent modification of the bios settings, anyone with brief physical access to the machine could still set a password that would be required upon boot.
While this does not technically constitute a risk of compromising the data on the machine (as far as I am aware), it does allow a rather annoying denial-of-service attack that would potentially require me to reset the CMOS and configure my settings all over again.
0 events found
jphughan
11 Legend
•
14K Posts
•
79.9K Points
0
July 5th, 2020 08:00
@dalp Your first sentence says that you set a system password. Based on what follows and the title of your thread, I'm guessing that was a typo and you meant to say "admin" password instead?
I can't speak for Dell's firmware engineers, but I suspect this may well be by design. When an admin password is set, the system password is used only to be able to boot the system. So the idea is that an IT organization could set the admin password to prevent BIOS changes, and then the user could set their own system password to prevent the system from being booted. And the DoS scenario you're worried about I believe is mitigated by the fact that the admin password can be used to clear a system password even without knowing it. If you'd like to test this, set a system password (different from the admin password), then choose to change the system password, and when you're prompted for the current password, enter the ADMIN password instead.
dalp
2 Posts
0
July 5th, 2020 08:00
You are correct, that was a typo. Thank you for the tip about being able to enter the admin password in place of the system password; I had no idea that was possible on the initial boot screen.
hayshwj
3 Posts
0
July 5th, 2020 19:00
yessss
hayshwj
3 Posts
0
July 5th, 2020 19:00
right bro
notthepoppa
2 Posts
0
January 3rd, 2021 02:00
Thats still no solution to being locked out of your account by a password made up by support assis to sell their so called OS recovery system . I was doing a factory reset and I was interupted by support assist saying there was something wrong with my system. they offered to take over and like a fool I allowed them to . thinking it's Dell , No Problem but they couldnt finish????? , made up a password and got Me locked out so i would come crawling to get their program. NOT!!!
This Folks is just another way to promote their UEFI, which I fully intend on disabling as soon as I install my Legacy boot rom
.