Dell PowerEdge Servers BIOS Exploit DEITYBOUNCE

DEITYBOUNCE is a software exploit that exploits the BIOS on Dell PowerEdge servers, utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads.


What It Is
As I said above DEITYBOUNCE is a software exploit that exploits the BIOS on Dell PowerEdge servers. To re-flash the BIOS on a target machine the NSA uses ARKSTREAM. ARKSTREAM is used to implant DEITYBOUNCE and its payload or the implant installer. Once DEITYBOUNCE has been implanted onto the target system its frequency of execution (dropping the payload) is configurable and occurs when the system is powered on. It is important to note how ARKSTREAM gets onto a target system. ARKSTREAM can be used either by remote access or interdiction. When they say “interdiction” in this document they are referring to it as being done by a non-technical operator through the use of a USB flash drive. They also have other methods of getting to a target system. One method they have is when you purchase a Dell PowerEdge server online they can intercept the package at UPS, FedEx, or whoever you are shipping the package with and use ARKSTREAM to re-flash the BIOS before it even gets to you. This means that you cannot even purchase something online anymore without the possibility of it being tampered with. DEITYBOUNCE supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and XP. It also says in the document that it currently (in 2008) targets Dell PowerEdge 1850/2850/1950/2950 RAID servers using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7.


What We Can Do
This is an exploit that could be a huge problem for not only small businesses but also in the enterprise environment. Almost every data center has Dell PowerEdge servers whether they only have one rack or thousands. Dell is huge in the server market for small, medium, and enterprise businesses. If Dell helped the NSA create this exploit (I personally don’t think they did) we could have some serious problems. This also goes back to the NSA’s Cisco IOS Firmware Persistence Implant JETPLOW which I also wrote about. If Cisco helped the NSA create that software implant then we could also have serious problems. When the NSA (or anyone) has backdoors and/or exploits that can affect our core infrastructure there is a big problem. There are really only two things we can do about this problem and that is to pressure Dell to do something about this exploit (create a patch) or stop using Dell PowerEdge servers. Obviously the second option would be very difficult for most businesses so the only real option is to pressure Dell into developing more secure BIOS revisions and server hardware.


Thank you all for taking the time to read this post and as always God bless!

The NSA’s original documentation on DEITYBOUNCE



The following two tabs change content below.
Preston Hood
Hello, my name is Preston Hood. I am the owner of PJHoodsCo, an Information Technology Service Provider (ITSP). I am also a freelance writer and information security researcher.
Preston Hood

Latest posts by Preston Hood (see all)

Categories: Information Technology, IT Security, and Preston Hood.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>