Critical Bugs in Dell Wyse Thin Clients Allow Code Execution, Client Takeovers

The bugs rate 10 out of 10 on the vulnerability-severity scale, thanks to the ease of exploitation.

Dell has patched two critical security vulnerabilities in its Dell Wyse Thin Client Devices, which are small form-factor computers optimized for connecting to a remote desktop. The bugs allow arbitrary code execution and the ability to access files and credentials, researchers said.

Thin clients contain none of the typical processing power or intelligence on board that normal PCs would have; instead, they act as less-smart terminals that connect to applications hosted on a remote computer. They’re often used in environments where employers give workers access to only a certain set of applications or resources; or for remote workers to connect back to headquarters.

Wyse has been developing thin clients since the 1990s and was acquired by Dell in 2012. In the U.S. alone, more than 6,000 companies and organizations are using Dell Wyse thin clients inside their network, with many of these (but not all) being healthcare providers, according to researchers at CyberMDX, who discovered the flaws.

2020 Reader Survey: Share Your Feedback to Help Us Improve

As for how many devices are potentially impacted, it’s unclear — but Dell has said in the past that there are “millions” of Dell Wyse Thin Clients deployed within organizations.

The devices use ThinOS, which is remotely maintained by default using a local File Transfer Protocol (FTP) server, from which devices pull new firmware, packages and configurations.

The first bug (CVE-2020-29491) stems from the fact that Wyse Thin Client devices periodically ping the server in order to pull their latest configurations, the researchers found. They do so with no authentication. The issue is that “the configuration for all thin clients are found on a remote server, accessible for anyone on the network to read,” Elad Luz, head of research at CyberMDX, told Threatpost. “Meaning that a third-party in the network could also access those configuration files, and just by reading them, might potentially compromise a device. This is because those configuration files might contain credentials for different methods of remote access.”

The second bug (CVE-2020-29492) exists because the server where those configurations are stored permits read-and-write access to its configuration files, enabling anyone within the network to read and alter them using FTP.

“The second vulnerability is the more obviously dangerous of the two and enables those files to be written, giving the option to alter them. The two might sound similar but they are treated as two different issues because fixing just one of them does not fix the other,” Luz explained.

Together, the bugs pave the way for havoc, and unfortunately, are trivial to exploit.

“One of the main reasons this vulnerability is critical is that its attack complexity is very easy,” said Luz. “All it takes is uploading an altered text configuration file to a configuration server via FTP. No authentication to the thin client is required; the only possible authentication is with the FTP server (for the uploading the configuration), but by default it is installed with no credentials.”

Even if credentials were applied, they would be the same for the entire Wyse fleet within an organization, which would still be an insecure approach, he noted.

Attackers would need to have access to the organization’s network in order to carry out the attacks, which they can accomplish through an initial-access attack via email or by exploiting another vulnerability.

INI File Modifications

One of the most concerning outcomes of an attack is the ability to “modify the INI file holding configuration settings for the thin-client devices,” according to a CyberMDX blog post issued on Monday.

The INI files contain a long list of configurable parameters, according to the firm. Reading or altering those parameters opens the door to a variety of attack scenarios, including configuring and enabling virtual network computing (VNC) for full remote control, leaking remote-desktop credentials, and manipulating DNS results.

“A simple example – those units can be configured to allow VNC (a form of remote desktop control), credentials could be set, user prompt for this can be disabled,” Luz told Threatpost. “Given that a malicious actor [uses] the VNC configuration inside the INI file, they will be able to access every desktop session from each of the thin clients. This will gain them the ability to remotely access files on those remote desktops and run arbitrary code there. It’s similar to getting unlimited access to the fleet of computer desktops inside an organization.”

Both flaws were given CVSS vulnerability-severity scores of 10 out of 10.

“One of the main issues is that security is often overlooked during the design phase of these devices,” said Luz.

All Dell Wyse Thin Clients running ThinOS versions 8.6 and below are affected. Dell has issued a patch, and admins should update to version 9.x where possible. Others may have to use a workaround.

“Models which are compatible with ThinOs 9.x are now patched, other models should apply a different mitigation and possibly wait for a newer release of ThinOs 8.x (might be released this very week),” Luz said.

There has so far been no evidence of exploitation in the wild, he told Threatpost.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles