Dell on Monday informed customers that updates released for some of its Wyse Thin Client products patch a couple of critical vulnerabilities that can be exploited remotely without authentication to compromise devices.
The vulnerabilities were discovered by researchers at CyberMDX, a company that specializes in healthcare cybersecurity, and they can be leveraged to access arbitrary files on affected devices and execute malicious code.
Dell Wyse Thin Client is a small form-factor PC series that runs an operating system named ThinOS, which Dell advertises as “the most secure thin client operating system.” According to CyberMDX, there are more than 6,000 organizations using these products, including many healthcare providers, in the U.S. alone.
CyberMDX researchers noticed that the local FTP server used by Wyse Thin Client devices to obtain new firmware, packages and configurations is, by default, accessible without credentials, allowing anyone on the network to access it.
An attacker could access an INI file stored on this server that contains configuration data for thin client devices and make modifications to that file.
“The INI files contain a long list of configurable parameters detailed on more than 100 pages by official Dell documentation,” CyberMDX explained in its advisory. “Reading or altering those parameters opens the door to a variety of attack scenarios. Configuring and enabling VNC for full remote control, leaking remote desktop credentials, and manipulating DNS results are some of the scenarios to be aware of.”
Attacks are possible due to two vulnerabilities: CVE-2020-29491, which allows an unauthenticated attacker to access the configuration file, and CVE-2020-29492, which allows them to make changes to the file.
Dell informed customers that the vulnerabilities impact Wyse 3040, 5010, 5040, 5060, 5070, 5470 and 7010 thin client devices running ThinOS 8.6 and prior. The flaws have been patched with the release of version 8.6 MR8 of ThinOS.
Earlier this month, CyberMDX disclosed a critical vulnerability impacting over 100 medical devices made by GE Healthcare. The flaw can be exploited to access or modify health information.
Related: Another Flaw in Dell SupportAssist Allows Code Execution With Elevated Privileges
Related: Dell Patches Remote Code Execution Vulnerability in SupportAssist Client
Related: Vulnerabilities in Device Drivers From 20 Vendors Expose PCs to Persistent Malware