Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Dell Patches Remote Code Execution Vulnerability in SupportAssist Client

Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution. 

Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution. 

Tracked as CVE-2019-3718, the first of the vulnerabilities is an improper origin validation flaw that could allow an unauthenticated remote attacker to potentially attempt cross-site request forgery (CSRF) attacks on users of the impacted systems.

The issue has a CVSS score of 7.6 and has been fixed with the release of Dell SupportAssist Client 3.2.0.90.

Tracked as CVE-2019-3719 and featuring a CVSS score of 7.1, the second vulnerability could be exploited by an unauthenticated attacker that shares the network access layer with the vulnerable system to compromise that system. 

For that, however, the attacker would need to trick the victim user into downloading and executing arbitrary files via the SupportAssist client, Dell noted in an advisory. The files would be fetched from attacker hosted sites. 

Bill Demirkapi, who found and reported the vulnerability, explains that the SupportAssist client fetches drivers from Dell’s website and that communication with the local systems takes place over an exposed REST API on port 8884, 8883, 8886, or 8885, depending on which is available. 

The process involves a series of integrity checks, but one of the functions involved in these checks provides the attacker with a lot of ground to work with, the researchers says. The issue can be abused in multiple ways, one of which involves generating a random subdomain name and using an external machine to DNS Hijack the victim and respond to requests with this server instead.

“Some concerning factors I noticed while looking at different types of requests I could make is that I could get a very detailed description of every piece of hardware connected to my computer using the ‘getsysteminfo’ route. Even through Cross Site Scripting, I was able to access this data, which is an issue because I could seriously fingerprint a system and find some sensitive information,” Demirkapi says. 

One of the methods exposed by the client would download a file from a specified URL and then run it. Checks are performed to ensure that the right files are downloaded and that they come from Dell’s website. 

The exploitation process, the researcher explains, involves tricking the client into accepting a payload that does not come from Dell’s accepted subdomains. After overcoming this obstacle, he was able to set up the attack from a local network. 

The researcher also published a demo to show how the vulnerability can be exploited, and made the proof-of-concept code available online. 

Related: Dell Resets User Passwords Following Data Breach

Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.