Dell has copped to a flaw in SupportAssist – a Windows-based troubleshooting program preinstalled on nearly every one of its newer devices running the OS – that allows local hackers to load malicious files with admin privileges.
The company has issued an advisory about the vulnerability, warning that a locally authenticated low-privilege user could exploit the bug to load arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of malware.
SupportAssist scans the system's hardware and software, and when an issue is detected, it sends the necessary system state information to Dell for troubleshooting to begin.
This type of vulnerability is fairly common, but typically requires admin privileges to exploit, so isn't generally considered a serious security threat. But Cyberark's Eran Shimony, who discovered the bug, said that in this case, SupportAssist attempts to load a DLL from a directory that a regular (non-admin) user can write into.
"Therefore, a malicious non-privileged user can write a DLL that would be loaded by DellSupportAssist, effectively gaining code execution inside software that runs with NT AUTHORITY\System privileges," Shimony told The Reg.
"This is because you can write a code entry inside a function called DLLMain (in the malicious DLL) that would be called immediately upon loading. This code piece would run in the privilege level of the host process."
The flaw (CVE-2020-5316), which has a severity rating of "high", affects Dell SupportAssist for business PCs version 2.1.3 or earlier and for home PCs version 3.4 or earlier.
Business users need to update to version 2.1.4 for and home desk jockeys should roll over to version 3.4.1 to get the fixes.
The flaw requires local access, meaning a potential wrong'un would have to be logged into the network. But once a miscreant is in, even at an unprivileged level, they can use the vulnerability to run their own code at elevated privileges, which can be used to gain further control of the device.
"Alternatively the flaw could be exploited to gain access to sensitive data or indeed to steal the credentials of other accounts, such as the domain administrator account," Brian Honan, founder of BH Consulting, told The Reg.
Millions of Windows Dell PCs need patching: Give-me-admin security gremlin found lurking in bundled support toolREAD MORE
This isn't the first security flaw that has been discovered in SupportAssist. In June 2019, Dell warned of another privilege-escalation vulnerability, CVE-2019-12280. Like the current vuln, it meant attackers could take advantage of SupportAssist's SYSTEM-level privileges, by leaving malware or their own DLL files in a path and letting SupportAssist load and execute the code within an admin context. That particular flaw emanated from a third-party component of SupportAssist produced and maintained by PC Doctor.
Just months before, in late April 2019, the company warned of "multiple vulnerabilities" in the software (CVE-2019-3718 and CVE-2019-3719), allowing a baddie to trick a user into downloading and executing arbitrary executables "via [the] SupportAssist client from attacker hosted sites".
"The discovery of yet another flaw in Dell's SupportAssist software highlights that software which runs with elevated privileges will always be targeted and underlies why it is so important the companies who produce such software have robust security testing and vulnerability management processes in place," Honan told us.
Organisations also might want to consider removing anything non-critical from their setup, he opined. "The more software and services installed on a system, the bigger target presented to those wishing to attack it," said Honan.
Dell shipped 46.5 million PCs last year, according to industry analyst IDC. We have contacted Dell EMC for comment. ®
Updated at 09:06 on 12 February to add
Dell has been in touch with The Reg to say: "As you're aware, Dell has released fixes for an uncontrolled search path vulnerability within Dell SupportAssist Client (CVE-2020-5316). Customers can review Dell's Security Advisory (DSA-2020-005) for affected products, versions and additional information. We'd like to thank Eran Shimony for reporting the vulnerability and working with us to disclose the remediation."