Two high-severity flaws in Dell’s client support tool, SupportAssist Client, could enable remote code-execution (RCE) and cross-site request forgery (CSRF) attacks.
SupportAssist helps users remove viruses or detect security issues on their PCs, and comes preinstalled on most new Dell devices.
“Dell SupportAssist Client has been updated to address multiple vulnerabilities which may be potentially exploited to compromise the system,” according to Dell’s security advisory. Both flaws impact Dell SupportAssist Client versions prior to 22.214.171.124.
The RCE flaw (CVE-2019-3719) has a CVSS score of 8, making it high-severity. An attacker could compromise the vulnerability by tricking a user into downloading and executing arbitrary executables through their SupportAssist client from attacker-hosted sites, Dell said. An unauthenticated attacker could exploit the flaw – but they would need to share the network access layer with the vulnerable system.
The researcher who discovered the flaw, 17-year-old Bill Demirkapi, published the proof of concept and a demo (below) of the attack on Tuesday.
Essentially, an important integrity check exists in SupportAssist called ClientServiceHandler.ProcessRequest, which is where the server checks to make sure requests are actually from Dell.
This allowed Demirkapi to “generate a random subdomain name and use an external machine to DNS [domain name server]-hijack the victim. Then, when the victim requests [random].dell.com, we respond with our server,” he said.
That means that if a Dell system user goes to a malicious website, SupportAssist could be tricked into downloading malware-laced files and running them on the device. Demirkapi said he initially notified Dell of the flaw Oct. 26, 2018. The flaw was patched April 18, and the public disclosure of the PoC was released this past week.
The second flaw is an improper origin validation vulnerability (CVE-2019-3718) with a ranking of 8.8, making it also a high-severity vulnerability.
The bug, which was discovered by John C. Hennessy-ReCar, could be exploited by unauthenticated remote attacker who could launch CSRF attacks on users of the impacted systems. CSRF allows an attacker to send malicious commands from one site to another using the credentials of a user that the destination site trusts. Further details on the flaw were not made available.
The computer-maker has had its fair share of security concerns, including last November, when the company warned its Dell.com customers of unauthorized activity on its network. Adversaries attempted to access names, email addresses and hashed passwords — which prompted a reset of all Dell.com customer passwords.