Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution.
Tracked as CVE-2019-3718, the first of the vulnerabilities is an improper origin validation flaw that could allow an unauthenticated remote attacker to potentially attempt cross-site request forgery (CSRF) attacks on users of the impacted systems.
The issue has a CVSS score of 7.6 and has been fixed with the release of Dell SupportAssist Client 3.2.0.90.
Tracked as CVE-2019-3719 and featuring a CVSS score of 7.1, the second vulnerability could be exploited by an unauthenticated attacker that shares the network access layer with the vulnerable system to compromise that system.
For that, however, the attacker would need to trick the victim user into downloading and executing arbitrary files via the SupportAssist client, Dell noted in an advisory. The files would be fetched from attacker hosted sites.
Bill Demirkapi, who found and reported the vulnerability, explains that the SupportAssist client fetches drivers from Dell’s website and that communication with the local systems takes place over an exposed REST API on port 8884, 8883, 8886, or 8885, depending on which is available.
The process involves a series of integrity checks, but one of the functions involved in these checks provides the attacker with a lot of ground to work with, the researchers says. The issue can be abused in multiple ways, one of which involves generating a random subdomain name and using an external machine to DNS Hijack the victim and respond to requests with this server instead.
“Some concerning factors I noticed while looking at different types of requests I could make is that I could get a very detailed description of every piece of hardware connected to my computer using the ‘getsysteminfo’ route. Even through Cross Site Scripting, I was able to access this data, which is an issue because I could seriously fingerprint a system and find some sensitive information,” Demirkapi says.
One of the methods exposed by the client would download a file from a specified URL and then run it. Checks are performed to ensure that the right files are downloaded and that they come from Dell’s website.
The exploitation process, the researcher explains, involves tricking the client into accepting a payload that does not come from Dell’s accepted subdomains. After overcoming this obstacle, he was able to set up the attack from a local network.
The researcher also published a demo to show how the vulnerability can be exploited, and made the proof-of-concept code available online.
Related: Dell Resets User Passwords Following Data Breach
Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
