Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Dell Client Products Unauthorized BIOS Password Reset Tools

Summary: Dell Client Products Unauthorized BIOS Password Reset Tools

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Instructions

DSA Reference: DSA-2020-119: Dell Client Products Unauthorized BIOS Password Reset Tool Vulnerability

Details: 

Select Dell Client Commercial and Consumer platforms support a password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of a password generation tools that can generate BIOS recovery passwords. The tools, which is not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed (hard-drive) HDD passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access, and BIOS pre-boot authentication.

Resolution: 

Dell provides several mitigations and limitations to the use of unauthorized reset passwords on commercial platforms. We recommend customers follow security best practices and prevent unauthorized physical access to devices. Customers can also choose to enable the Master Password Lockout feature from BIOS Setup (available on commercial platforms – all platforms with Insyde BIOS release from March 2024 onwards and for all other platforms starting from 2011)  to protect Admin, System, and HDD passwords are protected from being reset.

See Dell’s Security Advisory for more details: DSA-2020-119: Dell Client Products Unauthorized BIOS Password Reset Tool Vulnerability

Also additional BIOS related content which may be of use:

Frequently Asked Questions:    

Q: Which models are affected?

A: This affects most Dell Client Commercial systems and select Consumer systems. Any platform that displays the following identifiers on the BIOS Preboot password prompts (Dell Security Manager)

  • <SERVICE TAG or HDD SN>-D35B
  • <SERVICE TAG or HDD SN>-1F5A
  • <SERVICE TAG or HDD SN>-595B
  • <SERVICE TAG or HDD SN>-2A7B
  • <SERVICE TAG or HDD SN>-1D3B
  • <SERVICE TAG or HDD SN>-1F66
  • <SERVICE TAG or HDD SN>-6FF1
  • <SERVICE TAG or HDD SN>-BF97
  • <SERVICE TAG or HDD SN>-E7A8

B: Insyde BIOS platforms - To check if your platform is based on Insyde BIOS,

  1. Turn on the computer.
  2. At the Dell logo screen, press the F2 key several times until you enter the BIOS or System Setup.
  3. Alternatively, press the F12 key several times until you see the One Time Boot Menu and then select BIOS Setup or System Setup from the menu.
  4. Insyde BIOS platform shows “InsydeH2O Setup Utility" on top of setup page.



Q: How can I protect my platform from an unauthorized password reset?

A: There are several mitigations and best practices customers should follow to help protect their platforms.

  • Master Password Lockout. It can be enabled from BIOS Setup. Once enabled, the Admin, System, and HDD passwords are protected from being reset using recovery password. (Available on commercial platforms – all platforms with Insyde BIOS release from March 2024 onwards and for all other platforms starting from 2011)  
  • A user must be physically present at the system to use the recovery password. So, physical protection of the platform should always be practiced.

Warning: If the Master Password Lockout option is selected and the customer subsequently forgets the password, Dell will not be able to assist in the recovery of passwords. The platform will be unrecoverable, and the motherboard or hard drive will need to be replaced.

Q: Can this tool be used remotely to reset my passwords?

A: No, a user must be physically present at the system to use the recovery password. So, physical protection of the platform should always be practiced.

Q: How can I determine if this tool was used on my platform?

A: Use of the recovery password can be detected, since its use results in removal of the applicable BIOS passwords (Admin/System, or BIOS-managed HDD).

Q: Does the use of the recovery password allow access to the data on my HDD?

A: When setting the HDD Password, an option is presented to force a HDD wipe if the HDD Recovery Password is used. If this option was selected when the HDD password was set, the HDD is wiped upon use of the HDD Recovery password.  So, no data access is permitted. If this option is not selected, the data on the HDD is retained. However, if HDD encryption is used (such as BitLocker) the data is accessible, but the information on the drive it is protected from disclosure.

Q: Does the use of the recovery password allow access to the Operating System?

A: The use of the recovery password does not allow a bypass of the OS credentials.

Q: Does this affect Self Encrypting Drives that utilize an external SED Management Application to set passwords on my drive?

A:  This tool does not impact self-encrypting drives that are provisioned and managed by an external SED management applications. The reset tool only affects BIOS passwords managed by BIOS Setup.

Q: Does this tool compromise the integrity of my BIOS firmware and my platform root of trust?

A: The use of the recovery password does not compromise the integrity of the BIOS firmware. BIOS firmware is protected by NIST 800-147 signature verification protection as well as additional features such as Intel BootGuard, Intel BIOSGuard, and chipset firmware write protections. Use of the tool can allow access to the BIOS Setup Interface, which would allow changing the security settings of the platform, such as Secure Boot Enable and TPM settings.  

Article Properties
Article Number: 000180749
Article Type: How To
Last Modified: 25 Nov 2024
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.