Cloud security company Eclypsium has revealed that Dell desktops, laptops and tablets have multiple vulnerabilities. Seems like we finally know why LVFS (Linux Vendor Firmware Service) had a huge spike in activity recently, with it supplying over 100,000 firmware updates in a single day as shown by developer Richard Hughes on Twitter.
Even with Secure Boot enabled it seems it doesn't really help and affects at least 129 different models of Dell laptops, tablets, and desktops. Eclypsium estimate around 30 million devices will be affected by this. It doesn't specifically state it's an issue for Linux and does mention Windows explicitly but the point is the same, you'll be vulnerable if you don't ensure you're up to date. The series of issues allows a "privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines".
If you do have a Dell device, it would be worth ensuring you've run all updates and checked for the latest firmware. You can do firmware upgrades on Linux with services provided by LVFS. You can run updates using this command in terminal:
sudo fwupdmgr update
Most distributions should have an up to date GNOME Software or KDE Discover that support it too, so you can use those if you prefer.
See more in the announcement from Eclypsium and also from Dell directly.
It doesn't specifically state it's an issue for Linux and does mention Windows explicitly but the point is the same, you'll be vulnerable if you don't ensure you're up to date.
Since the vulnerability is in a feature designed for remote boot (recovery) it is fairly reasonable to assume that it doesn't require windows to be functional or even present to be exploited.
Thanks for posting. Updating firmware is kind of scary to watch, but at least the steps are very easy.
It also worries me too! But I just updated and no issues.
Also, don't touch Beta Bioses with a 10-foot pole. Avoid them like the plague.
See more from me