Attackers could attack various Dell laptop models and access unencrypted hard drive passwords, for example. The gaps have been known for a long time, but security updates are only available now.
Specifically, there are two vulnerabilities (CVE-2022-29276 “hoch“, CVE-2021-38489 “hoch”) in the BIOS of the UEFI firmware provider Insyde. The gaps have been known since the beginning or end of 2022. According to a warning from Dell, firmware updates were not released until March 2023. The computer manufacturer only published the contribution to this in April. It is not yet clear why these delays occurred.
Models from the Alienware, G15, Inspiron and Vostro series are affected by the vulnerabilities. Dell does not explain how attackers could exploit the vulnerabilities. In one case, attackers could use certain inputs to create memory corruption in the System Management RAM (SMRAM). This usually leads to crashes. However, malicious code can often also get onto devices.
In the second case, attackers could access clear-text hard disk passwords due to kernel bugs. It is not yet known whether there have already been attacks.