Dell Patches SupportAssist Flaw That Allows Arbitrary Code Execution

The uncontrolled search path vulnerability allows a local user to use DLLs to escalate privileges and affects Windows PCs.

Dell has patched a high-severity flaw in its SupportAssist software that could allow an attacker to execute arbitrary code with administrator privileges on affected computers.

The flaw, an uncontrolled search path vulnerability that is being tracked as CVE-2020-5316, could allow a locally authenticated user with low privileges to “cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code,” Dell wrote in its explanation of the bug.

The latest bug—discovered by CyberArk security researcher Eran Shimony, who notified Dell–affects both business and home users of Dell systems. The vulnerability exists in Dell SupportAssist for business PCs version 2.1.3 or older and home PCs version 3.4 or older, according to Dell.


“All versions of SupportAssist automatically upgrade to the latest version available if automatic upgrades are enabled. Customers can check which version they are running and upgrade to a newer version of SupportAssist if available,” Dell said. Customers can check the version of their software via the program itself and can also follow the steps to manually upgrade their software.

SupportAssist is “smart” software designed by Dell to alert the company of any problems on a customer’s hardware or software that may need to be resolved, according to the company.

“SupportAssist proactively checks the health of your system’s hardware and software,” the company said in its description of the software. “When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin.”

The latest flaw in the software has a CVSSv3 base score of 7.8, but is potentially most dangerous because it affects so many machines. According to Dell, SupportAssist comes preinstalled on most new Dell devices running Windows.

Moreover, it’s probably not a one of a kind problem, which means there are similar vulnerabilities that exist across numerous systems but remain undetected, said Roger Grimes, data driven defense evangelist at KnowBe4.

“This problem and others like it are a lot more widespread than just Dell alone,” he said in an e-mail to Threatpost. “It’s probably one of the most common under reported vulnerabilities and likely exists across tens of thousands if not hundreds of thousands of different, unrelated programs impacting many tens of millions of computers.”

The reason for this is that DLL vulnerabilities, while common, are not standalone problems, Grimes said. In addition to the type of vulnerability recently found in SupportAssist, another DLL problem “where a local executable file or DLL could be overwritten by any user” often exists as well, he said.

Moreover, these flaws also affect other parts of a computer system, Grimes said. “The key was besides finding one of these two flaws you had to find a program that relied on an executable or DLL that was running in an elevated context, like SYSTEM,” he said. “It’s not that hard to find these two things existing together at the same time.”

These vulnerabilities remain largely unreported because security researchers aren’t particularly interested in them, he said. However, neither are hackers, because “they can’t be easily exploited at scale,” Grimes said.

“These days it’s all about remotely executing code or client-side exploits where you trick an end-user into doing something they shouldn’t,” he said.

However, “for penetration testers who have local access and are looking for privilege escalation exploits” vulnerabilities like the one recently found in SupportAssist “really aren’t that hard to find,” he noted.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles