CVE-2024-0161
📋 TL;DR
This vulnerability allows a local low-privileged attacker on affected Dell PowerEdge and Precision Rack servers to perform arbitrary writes to SMRAM (System Management RAM) due to improper buffer verification in SMM (System Management Mode) communication. This could lead to privilege escalation and system compromise. Only users with local access to vulnerable Dell servers are affected.
💻 Affected Systems
- Dell PowerEdge Servers
- Dell Precision Rack Workstations
📦 What is this software?
Poweredge M630 \(pe Vrtx\) Firmware by Dell
View all CVEs affecting Poweredge M630 \(pe Vrtx\) Firmware →
Poweredge M640 \(pe Vrtx\) Firmware by Dell
View all CVEs affecting Poweredge M640 \(pe Vrtx\) Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including BIOS/UEFI persistence, bypassing security controls, and establishing a permanent foothold on the server.
Likely Case
Privilege escalation from a low-privileged user to SYSTEM/root level access, allowing installation of malware or data exfiltration.
If Mitigated
Limited impact if proper access controls prevent local attacker access and BIOS-level security features are enabled.
🎯 Exploit Status
Requires local access and low-privileged credentials. SMM exploitation typically requires specialized knowledge of BIOS internals.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIOS updates specified in Dell advisory DSA-2024-006
Restart Required: Yes
Instructions:
1. Identify your server model and current BIOS version. 2. Download appropriate BIOS update from Dell Support site. 3. Apply update using Dell Update Package or iDRAC. 4. Reboot server to complete installation.
🔧 Temporary Workarounds
Restrict Local Access
allLimit physical and remote console access to trusted administrators only
Enable BIOS Security Features
allEnable BIOS password, secure boot, and TPM where available
🧯 If You Can't Patch
- Isolate affected servers in secure network segments with strict access controls
- Implement multi-factor authentication and privileged access management for all server access
🔍 How to Verify
Check if Vulnerable:
Check BIOS version against affected versions in Dell advisory DSA-2024-006. Use 'dmidecode -t bios' on Linux or wmic bios get smbiosbiosversion on Windows.Check Version:
Linux: dmidecode -t bios | grep Version, Windows: wmic bios get smbiosbiosversionVerify Fix Applied:
Verify BIOS version has been updated to patched version listed in Dell advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual BIOS/UEFI access attempts
- Privilege escalation from low to high privilege accounts
- Unexpected system reboots or BIOS configuration changes
Network Indicators:
- Unusual outbound connections from server management interfaces
SIEM Query:
source="bios_logs" OR event_id=6008 OR (process_name="powershell" AND command_line="*bios*" OR "*uefi*")🔗 References
- https://www.dell.com/support/kbdoc/en-us/000222979/dsa-2024-006-security-update-for-dell-poweredge-server-bios-for-an-improper-smm-communication-buffer-verification-vulnerability
- https://www.dell.com/support/kbdoc/en-us/000222979/dsa-2024-006-security-update-for-dell-poweredge-server-bios-for-an-improper-smm-communication-buffer-verification-vulnerability
