On most of Dell computers, Remote Code Execution vulnerability Found
Date
Jun 04, 2019
Posted by
admin
Categories
Cyber Security

It is found that recently launched Dell-made Windows laptops have a chance that the system is vulnerable to a remote hijack.

A 17-year-old security researcher has found that a program pre-installed in these laptops hosts a vulnerability that can be exploited remotely to breach your security.

The researcher, analyzed ‘SupportAssist’ program in Dell and he found the bug in it. It was found that a malicious third party can hijack the updates pushed by the program and they can use them to install malware on a targeted computer.

The tool comes with administrator-level Windows access and automatically updates drivers, adjusts settings, and cleans used files.

When we think of Remote Code Execution (RCE) vulnerabilities in mass, we might think of vulnerabilities in the operating system, but another attack vector to consider is “What third-party software came with my PC?”

A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems. The number of impacted users is believed to be very high, as the SupportAssist tool is one of the apps that Dell will pre-install on all Dell laptops and computers the company ships with a running Windows OS (systems sold without an OS are not impacted).

Dell has released a patch for this security flaw on April 23; however, many users are likely to remain vulnerable unless they’ve already updated the tool, which is used for debugging, diagnostics, and Dell drivers auto-updates.

The attack relies on luring users on a malicious web page, where JavaScript code can trick the Dell SupportAssist tool into downloading and running files from an attacker-controlled location. The Dell SupportAssist tool runs as admin,dueto this, the attackers will have full access to targeted systems, if they manage to get themselves in the proper position to execute this attack.

Two scenarios in which the attack could work include public WiFi networks or large enterprise networks where there’s at least one compromised machine that can be used to launch the ARP and DNS attacks against adjacent Dell systems running the SupportAssist tool.

ATTACK REQUIRES NO USER INTERACTION

The attack requires no user interaction except tricking users on accessing a malicious page, and the malicious JavaScript code that drives the attack can also be hidden inside ads (iframes) on legitimate sites, if ever necessary.

The iframe will point to a subdomain of dell.com, and then a DNS spoofing attack performed from an attacker-controlled machine/router will return an incorrect IP address for the dell.com domain, allowing the attacker to control what files are sent and executed by the SupportAssist tool

But now, Dell took the researcher’s report seriously and has worked for the past months to patch CVE-2019-3719, a task that concluded last week with the release of SupportAssist v3.2.0.90, which Dell users are now advised to install.