Affected Platform: Dell Client Consumer and Commercial platforms
Problem:
Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled. This could allow the use of a malicious GRUB configuration file (grub.cfg) via physical access to the platform, or OS administrator privileges. This could allow attackers to run malware and alter the boot process, among other malicious actions.
Reference:
Operating System provider’s advisories can be found on the following Dell Security Notice https://www.dell.com/support/article/SLN322283.
Frequently Asked Questions:
Q: Which models are affected?
A: Dell Client and Commercial platforms that have UEFI Secure Boot enabled are impacted. Dell recommends that customers review their Operating System provider’s advisories for further information, including appropriate identification and additional mitigation measures.
Customer should follow security best practices and prevent unauthorized physical access to devices. Customer can also take the following measures to further protect themselves from physical attacks.
Q: I use a Windows Operating System. Am I impacted?
A: Yes. Windows Operating Systems are impacted. A malicious actor that has physical access to the platform, or OS administrator privileges, could load a vulnerable GRUB UEFI binary and boot time malware.
Q: What do I need to do to address this vulnerability?
A: There are multiple components that may need to be updated:
Applicable to Windows and Linux based Operating Systems:.
UEFI Forbidden signatures database (dbx) update
A signed revocation database update has been made available by Microsoft that will prevent systems from booting vulnerable GRUB binaries.
Installing this update will prevent existing vulnerable Linux OS installation and recovery media from booting when UEFI Secure Boot is enabled.
Applicable to Linux Operating Systems:.
GRUB Patch
As part of Linux Operating System vendors’ advisories, they will be rolling out updated GRUB binaries.
Q: I applied the dbx updates and I can no longer boot Linux OS installation media. What do I do?
A: Customers who experience issues after updating dbx can revert the dbx update by doing the following:
This will revert your factory-default dbx database.