Dell Client Products Unauthorized BIOS Password Reset Tools

DSA Reference: DSA-2020-119: Dell Client Products Unauthorized BIOS Password Reset Tool Vulnerability

Details: 

Select Dell Client Commercial and Consumer platforms support a password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of a password generation tools that can generate BIOS recovery passwords. The tools, which is not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed (hard-drive) HDD passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access, and BIOS pre-boot authentication.

Resolution: 

Dell provides several mitigations and limitations to the use of unauthorized reset passwords on commercial platforms. We recommend customers follow security best practices and prevent unauthorized physical access to devices. Customers can also choose to enable the Master Password Lockout feature from BIOS Setup (available on commercial platforms – all platforms with Insyde BIOS release from March 2024 onwards and for all other platforms starting from 2011)  to protect Admin, System, and HDD passwords are protected from being reset.

See Dell’s Security Advisory for more details: DSA-2020-119: Dell Client Products Unauthorized BIOS Password Reset Tool Vulnerability

Frequently Asked Questions:    

Q: Which models are affected?

A: This affects most Dell Client Commercial systems and select Consumer systems. Any platform that displays the following identifiers on the BIOS Preboot password prompts (Dell Security Manager)

• <SERVICE TAG or HDD SN>-D35B
• <SERVICE TAG or HDD SN>-1F5A
• <SERVICE TAG or HDD SN>-595B
• <SERVICE TAG or HDD SN>-2A7B
• <SERVICE TAG or HDD SN>-1D3B
• <SERVICE TAG or HDD SN>-1F66
• <SERVICE TAG or HDD SN>-6FF1
• <SERVICE TAG or HDD SN>-BF97
• <SERVICE TAG or HDD SN>-E7A8

B: Insyde BIOS platforms - To check if your platform is based on Insyde BIOS,

1. Turn on the computer.
2. At the Dell logo screen, press the F2 key several times until you enter the BIOS or System Setup.
3. Alternatively, press the F12 key several times until you see the One Time Boot Menu and then select BIOS Setup or System Setup from the menu.
4. Insyde BIOS platform shows “InsydeH2O Setup Utility" on top of setup page.

Q: How can I protect my platform from an unauthorized password reset?

A: There are several mitigations and best practices customers should follow to help protect their platforms.

• Master Password Lockout. It can be enabled from BIOS Setup. Once enabled, the Admin, System, and HDD passwords are protected from being reset using recovery password. (Available on commercial platforms – all platforms with Insyde BIOS release from March 2024 onwards and for all other platforms starting from 2011)  
• A user must be physically present at the system to use the recovery password. So, physical protection of the platform should always be practiced.

Warning: If the Master Password Lockout option is selected and the customer subsequently forgets the password, Dell will not be able to assist in the recovery of passwords. The platform will be unrecoverable, and the motherboard or hard drive will need to be replaced.

Q: Can this tool be used remotely to reset my passwords?

A: No, a user must be physically present at the system to use the recovery password. So, physical protection of the platform should always be practiced.

Q: How can I determine if this tool was used on my platform?

A: Use of the recovery password can be detected, since its use results in removal of the applicable BIOS passwords (Admin/System, or BIOS-managed HDD).

Q: Does the use of the recovery password allow access to the data on my HDD?

A: When setting the HDD Password, an option is presented to force a HDD wipe if the HDD Recovery Password is used. If this option was selected when the HDD password was set, the HDD is wiped upon use of the HDD Recovery password.  So, no data access is permitted. If this option is not selected, the data on the HDD is retained. However, if HDD encryption is used (such as BitLocker) the data is accessible, but the information on the drive it is protected from disclosure.

Q: Does the use of the recovery password allow access to the Operating System?

A: The use of the recovery password does not allow a bypass of the OS credentials.

Q: Does this affect Self Encrypting Drives that utilize an external SED Management Application to set passwords on my drive?

A:  This tool does not impact self-encrypting drives that are provisioned and managed by an external SED management applications. The reset tool only affects BIOS passwords managed by BIOS Setup.

Q: Does this tool compromise the integrity of my BIOS firmware and my platform root of trust?

A: The use of the recovery password does not compromise the integrity of the BIOS firmware. BIOS firmware is protected by NIST 800-147 signature verification protection as well as additional features such as Intel BootGuard, Intel BIOSGuard, and chipset firmware write protections. Use of the tool can allow access to the BIOS Setup Interface, which would allow changing the security settings of the platform, such as Secure Boot Enable and TPM settings.  

Recommended Articles

Here are some recommended articles related to this topic that might be of interest to you.

• Dell Support for Lost BIOS Password
• Dell Command PowerShell Provider BIOS Passwords feature
• How to Reset or Clear the BIOS Password
• General Hard Drive and BIOS Password Information
• Resetting the BIOS to Default Configuration on a System May Not Match the BIOS Settings Configured from the Factory