Dell, which pitches its Wyse ThinOS as "the most secure thin client operating system," plans to publish an advisory on Monday for two severe security vulnerabilities.
CVE-2020-29491 and CVE-2020-29492 are both critical flaws, managing a perfect (although unwelcome) CVSS score of 10 out of 10. The vulnerabilities, which affect all Dell Wyse Thin Clients running ThinOS versions 8.6 or earlier, allow more or less anyone to remotely run malicious code and to access arbitrary files on vulnerable devices.
The issues were identified by security biz CyberMDX, which said in its disclosure, "The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical."
Dell Wyse Thin Clients allow companies to provide employees with access to applications via stripped-down, cloud-connected client machines that do most of their computing remotely on the server. In theory, this reduces costs, improves device manageability, and enhances security.
As CyberMDX explains in its report, while ThinOS can be remotely maintained, Dell recommends creating a local FTP server using Microsoft IIS and then setting up access to firmware, software packages, and INI configuration files.
The security biz points out that the FTP is set up for an "anonymous" user with no credentials. And while the firmware and packages on the FTP server have digital signatures, the INI configuration files do not. So anyone with access to them can alter them.
Not only are the INI files writable but this is by design – CyberMDX says there's a particular INI file on the FTP server that is supposed to be writable for connecting clients.
"Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices," the CyberMDX advisory says, adding that even if credentials were set, they'd be shared across all the clients on the network, which would let them alter each other's INI files.
These INI files have a lot of parameters and altering them can open the door to bad things. Dell's guide [PDF] for configuring INI file parameters goes on for 112 pages. According to CyberMDX, altering those values makes a variety of attack scenarios possible, including a full remote takeover of the VNC (Virtual Network Computing) software, leaking remote desktop credentials, and manipulating DNS settings.
In the US alone, about 6000 companies and organizations use Dell Wyse Thin Clients, many of them healthcare organizations, the CyberMDX report says.
"We encourage customers to apply the remediations and follow the best practices described in the Dell Security Advisory (DSA-2020-281)," a Dell spokesperson told The Register in an email. "The security of our products is critical to helping ensure our customers’ data and systems are protected."
Dell's spokesperson thanked Gil David and Elad Luz of CyberMDX for reporting the vulnerabilities. ®