Security News Dell BIOS Flaw Lets Attackers Recover Admin Passwords From SPI Flash in Milliseconds

Parkinsond

Level 63
Thread author
Verified
Top Poster
Well-known
Dec 6, 2023
5,199
16,201
6,169
A critical flaw in how Dell stores BIOS administrator and user passwords allows full password recovery from a flash dump in milliseconds, with no brute force required.

Dell stores BIOS passwords in the DVAR (Dell Variable) region of the SPI flash chip, encrypted using a repeating 20-byte XOR key applied to a 32-byte field. The first character of the password is stored completely unencrypted.

For any password of 12 characters or fewer, the unused, null-padded tail of the 32-byte field ends up XORed against zero, which simply reveals raw key bytes. Since the key is only 20 bytes but the field is 32, this mismatch leaks the entire key directly from the record, letting attackers reverse the password instantly.

Longer passwords leave a small blind zone, but the researchers found a way around it: Dell’s key derivation uses only a fixed per-device seed, a GUID, and the single unencrypted first character of the password.

 
From the researcher: Dell BIOS Passwords: Weak XOR Encryption Allows Recovery from SPI Flash (CVE-2026-40639) - MDSec

The researched vulnerable models: Dell Latitude E7250 (end of life), Dell Wyse 5070, Dell Latitude 7490, Dell XPS 15 9560 (end of life).

On the OptiPlex 3000, Dell has replaced the DVAR and XOR scheme with a SIVB (Security Information Vault Block) store that hashes the password with SHA-256 and keeps it in an encrypted vault and is not recoverable from a flash dump. So Dell knows how to do this properly and has done so on newer models. The problem is that the fix has not reached everything still being sold and deployed. The Wyse 5070, a current, supported thin client, still ships the recoverable DVAR and XOR scheme. Two of the other confirmed-vulnerable devices, the Latitude E7250 and the XPS 15 9560, are themselves no longer supported and will not receive fixes at all, which for anyone still running them means permanent exposure rather than reassurance.

The weakness is architectural rather than tied to one model: we believe it affects any Dell BIOS that uses the DVAR XOR password store, and that store is implemented in SystemPwSmm, which is common across Dell client platforms.

Dell’s advisory is explicitly a first wave rather than the full picture. The fixed list in DSA-2026-197 covers the Edge Gateway 3000 and 5000, the Embedded PC 3000 and 5000, the Precision 3630 Tower and 3930 Rack, and a range of Rugged Latitudes. It does not include any of the devices we confirmed vulnerable, the Wyse 5070, the Latitude E7250, the XPS 15 9560, or the Latitude 7490. Dell has confirmed to us that this advisory does not cover every platform it plans to patch, and has told us the remaining affected platforms are targeted for remediation by the end of July 2026. That is a stated target rather than a shipped fix, and the full scale of the problem is not yet known. What is clear is that current, deployed hardware, the Wyse 5070 thin client included, remains vulnerable and unpatched as things stand.