Dell published a security update to patch a SupportAssist Client software flaw which enables potential local attackers to execute arbitrary code with Administrator privileges on vulnerable computers.
According to Dell's website, the SupportAssist software is "preinstalled on most of all new Dell devices running Windows operating system."
SupportAssist also "proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin."
Could be used in binary planting attacks
As explained by Dell in its advisory, "A locally authenticated low privileged user could exploit this vulnerability to cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code."
This uncontrolled search path vulnerability reported by Cyberark's Eran Shimony is tracked as CVE-2020-5316, comes with a high severity CVSSv3 base score of 7.8, and it affects the following Dell SupportAssist versions:
• Dell SupportAssist for home PCs version 3.4 or earlier.
The company released Dell SupportAssist version 2.1.4 for business PCs and Dell SupportAssist version 3.4.1 for home PCs with fixes for the vulnerability.
Dell advises all customers to update the Dell SupportAssist software on their computers 'at the earliest opportunity,' seeing that all unpatched versions are vulnerable to attacks. If exploited, this vulnerability allows attackers to load and execute malicious payloads within the context of SupportAssist's binaries on unpatched machines.
While this flaw's threat level is not immediately obvious given that it requires local access and a low privileged user on the system to be abused, such security issues — some also requiring Admin privileges — are regularly rated with high severity CVSS 3.x base scores (1, 2).
Attackers abuse DLL search-order hijacking bugs like this one in binary planting attacks that allow for further compromise of the device and help them gain persistence in later stages of attacks.
Update to fix the bug
Dell says that all versions of SupportAssist will automatically auto-install the latest released versions if automatic upgrades are enabled.
If auto-update is not toggled on, home customers can manually check for updates by opening the SupportAssist software and clicking ‘About SupportAssist’ in the Settings window to check for newer versions, and then hitting the 'Update Now' link displayed.
For business customers, the process is a bit more convoluted and Dell recommends following the Dell SupportAssist for business PCs deployment guide for deployment instructions.
Dell previously patched a remote code execution vulnerability in the SupportAssist Client software in May 2019 which allowed unauthenticated attackers on the same Network Access layer with the targeted system to remotely execute arbitrary executables on vulnerable devices.
A similar RCE flaw was found by security researcher Tom Forbes in the Dell System Detect software in 2015. Forbes said at the time that the flaw "allowed an attacker to trigger the program to download and execute an arbitrary file without any user interaction."
H/T Günter Born
Comments
Jazmac - 4 years ago
Thanks for the heads up.