DSA Reference: DSA-2020-119: Dell Client Products Unauthorized BIOS Password Reset Tool Vulnerability
Select Dell Client Commercial and Consumer platforms support a password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of a password generation tools that can generate BIOS recovery passwords. The tools, which is not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed (hard-drive) HDD passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access, and BIOS pre-boot authentication.
Dell provides several mitigations and limitations to the use of unauthorized reset passwords on commercial platforms. We recommend customers follow security best practices and prevent unauthorized physical access to devices. Customers can also choose to enable the Master Password Lockout feature from BIOS Setup (available on commercial platforms – all platforms with Insyde BIOS release from March 2024 onwards and for all other platforms starting from 2011) to protect Admin, System, and HDD passwords are protected from being reset.
See Dell’s Security Advisory for more details: DSA-2020-119: Dell Client Products Unauthorized BIOS Password Reset Tool Vulnerability
Also additional BIOS related content which may be of use:
Q: Which models are affected?
A: This affects most Dell Client Commercial systems and select Consumer systems. Any platform that displays the following identifiers on the BIOS Preboot password prompts (Dell Security Manager)
B: Insyde BIOS platforms - To check if your platform is based on Insyde BIOS,
Q: How can I protect my platform from an unauthorized password reset?
A: There are several mitigations and best practices customers should follow to help protect their platforms.
Warning: If the Master Password Lockout option is selected and the customer subsequently forgets the password, Dell will not be able to assist in the recovery of passwords. The platform will be unrecoverable, and the motherboard or hard drive will need to be replaced.
Q: Can this tool be used remotely to reset my passwords?
A: No, a user must be physically present at the system to use the recovery password. So, physical protection of the platform should always be practiced.
Q: How can I determine if this tool was used on my platform?
A: Use of the recovery password can be detected, since its use results in removal of the applicable BIOS passwords (Admin/System, or BIOS-managed HDD).
Q: Does the use of the recovery password allow access to the data on my HDD?
A: When setting the HDD Password, an option is presented to force a HDD wipe if the HDD Recovery Password is used. If this option was selected when the HDD password was set, the HDD is wiped upon use of the HDD Recovery password. So, no data access is permitted. If this option is not selected, the data on the HDD is retained. However, if HDD encryption is used (such as BitLocker) the data is accessible, but the information on the drive it is protected from disclosure.
Q: Does the use of the recovery password allow access to the Operating System?
A: The use of the recovery password does not allow a bypass of the OS credentials.
Q: Does this affect Self Encrypting Drives that utilize an external SED Management Application to set passwords on my drive?
A: This tool does not impact self-encrypting drives that are provisioned and managed by an external SED management applications. The reset tool only affects BIOS passwords managed by BIOS Setup.
Q: Does this tool compromise the integrity of my BIOS firmware and my platform root of trust?
A: The use of the recovery password does not compromise the integrity of the BIOS firmware. BIOS firmware is protected by NIST 800-147 signature verification protection as well as additional features such as Intel BootGuard, Intel BIOSGuard, and chipset firmware write protections. Use of the tool can allow access to the BIOS Setup Interface, which would allow changing the security settings of the platform, such as Secure Boot Enable and TPM settings.