Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Dell Patches Remote Code Execution Vulnerability in SupportAssist Client

Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution. 

Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution. 

Tracked as CVE-2019-3718, the first of the vulnerabilities is an improper origin validation flaw that could allow an unauthenticated remote attacker to potentially attempt cross-site request forgery (CSRF) attacks on users of the impacted systems.

The issue has a CVSS score of 7.6 and has been fixed with the release of Dell SupportAssist Client

Tracked as CVE-2019-3719 and featuring a CVSS score of 7.1, the second vulnerability could be exploited by an unauthenticated attacker that shares the network access layer with the vulnerable system to compromise that system. 

For that, however, the attacker would need to trick the victim user into downloading and executing arbitrary files via the SupportAssist client, Dell noted in an advisory. The files would be fetched from attacker hosted sites. 

Bill Demirkapi, who found and reported the vulnerability, explains that the SupportAssist client fetches drivers from Dell’s website and that communication with the local systems takes place over an exposed REST API on port 8884, 8883, 8886, or 8885, depending on which is available. 

The process involves a series of integrity checks, but one of the functions involved in these checks provides the attacker with a lot of ground to work with, the researchers says. The issue can be abused in multiple ways, one of which involves generating a random subdomain name and using an external machine to DNS Hijack the victim and respond to requests with this server instead.

“Some concerning factors I noticed while looking at different types of requests I could make is that I could get a very detailed description of every piece of hardware connected to my computer using the ‘getsysteminfo’ route. Even through Cross Site Scripting, I was able to access this data, which is an issue because I could seriously fingerprint a system and find some sensitive information,” Demirkapi says. 

Advertisement. Scroll to continue reading.

One of the methods exposed by the client would download a file from a specified URL and then run it. Checks are performed to ensure that the right files are downloaded and that they come from Dell’s website. 

The exploitation process, the researcher explains, involves tricking the client into accepting a payload that does not come from Dell’s accepted subdomains. After overcoming this obstacle, he was able to set up the attack from a local network. 

The researcher also published a demo to show how the vulnerability can be exploited, and made the proof-of-concept code available online. 

Related: Dell Resets User Passwords Following Data Breach

Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights