Dell Computers Exposed to RCE Attacks by SupportAssist Flaws

Dell issued a security update to patch a SupportAssist Client software vulnerability which allows potential unauthenticated attackers on the same Network Access layer to remotely execute arbitrary executables on vulnerable computers.

According to Dell's website, the SupportAssist software is "preinstalled on most of all new Dell devices running Windows operating system" and it "proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin."

Most new Dell computers exposed to RCE attacks

As explained by Dell in its advisory, "An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites."

The software flaw is tracked as CVE-2019-3719 and comes with a high severity CVSSv3 base score of  8.0 assigned by the National Vulnerability Database (NVD).

Dell patched the SupportAssist software during late April 2019 following an initial report received from 17-year old security researcher Bill Demirkapi on October 10, 2018.

Also, Dell advises all customers to update SupportAssist Client as soon as possible, seeing that all versions prior to 3.2.0.90 and later are vulnerable to remote code execution attacks.

Improper origin validation vulnerability also patched

Dell also fixed an improper origin validation flaw in the SupportAssist Client software reported by John C. Hennessy-ReCar, tracked as CVE-2019-3718 and coming with a high severity CVSS v3.0 rating of 8.8.

Dell says in the same security advisory that "An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems."

Customers who to protect themselves from potential attacks trying to exploit this software flaw are encouraged to update the SupportAssist application if they have a version prior to 3.2.0.90.

Security researcher Bill Demirkapi discovered that the RCE vulnerability can be exploited by attackers using ARP and DNS spoofing attacks as detailed in the step by step proof-of-concept procedure that could be used to deliver the RCE payload onto a victim's Dell computer.

Demirkapi published a detailed technical description of the steps he took to discover the software flaw and a Dell SupportAssist RCE proof of concept.

He also published a demo video on YouTube showing his PoC at work:

This is not the first time Dell software was found to be vulnerable to remote code execution attacks, with a similar security flaw having been found by security researcher Tom Forbes in the Dell System Detect program back in 2015.

At the time, Forbes said that "allowed an attacker to trigger the program to download and execute an arbitrary file without any user interaction."

Related Articles:

Hackers exploit critical RCE flaw in Bricks WordPress site builder

SolarWinds fixes critical RCE bugs in access rights audit solution

JetBrains warns of new TeamCity auth bypass vulnerability

45k Jenkins servers exposed to RCE attacks using public exploits

CISA tags Microsoft SharePoint RCE bug as actively exploited