In cases where a system is configured so that it is unlocked with a user’s fingerprint, the vulnerabilities could be exploited to tamper with the firmware and allow it to accept any fingerprint rather than only that of a legitimate user, setting up the possibility of Mission Impossible-style hack scenarios.
Mitigation
The first step in mitigating all the flaws is to install the latest version of the ControlVault3 firmware. “CV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior,” Cisco Talos noted.
Enterprises that don’t use security peripherals (fingerprint reader, smart card readers, or NFC readers) should consider disabling CV services as a precaution. Disabling fingerprint login when risks are heightened, such as during offsite visits or while traveling, offers another potential mitigation.
