A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.
Dell has released a patch for this security flaw on April 23; however, many users are likely to remain vulnerable unless they’ve already updated the tool –which is used for debugging, diagnostics, and Dell drivers auto-updates.
The number of impacted users is believed to be very high, as the SupportAssist tool is one of the apps that Dell will pre-install on all Dell laptops and computers the company ships with a running Windows OS (systems sold without an OS are not impacted).
Bill Demirkapi, a 17-year-old independent security researcher, has discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that comes pre-installed on most Dell computers.
Dell SupportAssist, formerly known as Dell System Detect, checks the health of your computer system’s hardware and software.
The utility has been designed to interact with the Dell Support website and automatically detect Service Tag or Express Service Code of your Dell product, scan the existing device drivers and install missing or available driver updates, as well as perform hardware diagnostic tests.
ATTACK REQUIRES LAN/ROUTER COMPROMISE
“The attacker needs to be on the victim’s network in order to perform an ARP Spoofing Attack and a DNS Spoofing Attack on the victim’s machine in order to achieve remote code execution,” Demirkapi told ZDNet today in an email conversation.
This might sound hard, but it isn’t as complicated as it appears.
Two scenarios in which the attack could work include public WiFi networks or large enterprise networks where there’s at least one compromised machine that can be used to launch the ARP and DNS attacks against adjacent Dell systems running the SupportAssist tool.
Another plausible scenario is in situations where hackers have compromised the users’ local WiFi router, and are in a position to alter DNS traffic directly on the router.
As we’ve seen in the past few months, hacking routers to hijack DNS traffic isn’t a sophisticated attack anymore and is happening more and more often, mainly due to the sad state of router security [1, 2].
ATTACK REQUIRES NO USER INTERACTION
As Demirkapi explained to ZDNet, the iframe will point to a subdomain of dell.com, and then a DNS spoofing attack performed from an attacker-controlled machine/router will return an incorrect IP address for the dell.com domain, allowing the attacker to control what files are sent and executed by the SupportAssist tool.
The good news is that Dell took the researcher’s report seriously and has worked for the past months to patch CVE-2019-3719, a task that concluded last week with the release of SupportAssist v22.214.171.124, which Dell users are now advised to install.
If you are wondering how it works, Dell SupportAssist in the background runs a web server locally on the user system, either on port 8884, 8883, 8886, or port 8885, and accepts various commands as URL parameters to perform some-predefined tasks on the computer, like collecting detailed system information or downloading a software from remote server and install it on the system.
Though the local web service has been protected using the “Access-Control-Allow-Origin” response header and has some validations that restrict it to accept commands only from the “dell.com” website or its subdomains, Demirkapi explained ways to bypass these protections in a blog post published Wednesday.
As shown in the video, Demirkapi demonstrated [PoC code] how remote hackers could have easily downloaded and installed malware from a remote server on affected Dell computers to take full control over them.
“An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites,” Multinational computer technology company Dell said in an advisory.
The remote code execution vulnerability, identified as CVE-2019-3719, affects Dell SupportAssist Client versions prior to version 126.96.36.199.
Before publishing the vulnerability details in public, the researcher responsibly reported his findings to the Dell security team, which has now released an update version of the affected software to address the issue.
Besides this issue, Dell has also patched an improper origin validation (CVE-2019-3718) vulnerability in the SupportAssist software that could have allowed an unauthenticated, remote attacker to attempt CSRF attacks on users’ systems.
Dell users are advised to either install the updated Dell SupportAssist 188.8.131.52 or later, or simply uninstall the application altogether, if not required, before hackers try to exploit the weaknesses to take full control over their computer systems.