BIOSConnect vulnerabilities affecting Streamvault products

August 3rd, 2021

Multiple security vulnerabilities affecting the BIOSConnect features within Dell Client BIOS have been discovered allowing a privileged network adversary to gain arbitrary code execution. These components are used by some appliances of the Streamvault portfolio.

Risk assessment

The Dell BIOSConnect feature allows a user to update a system BIOS and recover the operating system (OS) remotely. A malicious user could gain remote code execution by impersonating a legitimate server while this feature is being used.

The severity of the issues ranges from a CVSSv3.1 score of 7.2 (High) to 5.9 (Medium). For more details please consult Dell’s DSA-2021-106 security advisory.

Details

A specific condition needs to be in place for those vulnerabilities to be exploitable. A user, with physical access, needs to trigger the BIOSConnect feature for it to be exploitable.

The vulnerabilities could affect some Streamvault workstations and all-in-one appliances. Other Streamvault products are not affected. See the table below for more details.

Recommendation

Genetec Inc, recommends updating to the latest Dell Client BIOS version in accordance with Dell security advisory DSA-2021-106.

Workarounds

If the newest BIOS versions can’t be applied in a timely fashion, it is recommended to disable the BIOSConnect feature. Please see Dell security advisory DSA-2021-106 for more details.

Affected products

To determine if the Streamvault appliance is affected, you must verify the Dell platform used by the appliance:

Open the Start menu
Type "System Information"
Select the "System Information" desktop app
Look for the “System Model” field which corresponds to the Dell platform

Genetec Product	Dell platform	Affected?	BIOS
SV-100E SV-300E SVA-101E SVW-100E	Optiplex 3080	Yes	Before 2.1.1
SVW-30xE-SF1	Precision 3440	Yes	Before 1.4.0
SVW-30xE-T3 SV-300E-T4	Precision 3640	Yes	Before 1.6.2
All other Streamvault products		No