A high-severity security hole found in a Windows support tool bundled with Dell computers leaves millions of systems at risk of a privilege-escalation attack reports SafeBreach.
Dell's SupportAssist tool includes PC-Doctor, which is licensed to other companies hence the vulnerability also affects OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components. There may be more than 100 million affected systems that need immediate patching.
This vulnerability can be exploited to load an arbitrary unsigned DLL into a service that runs as SYSTEM, achieving privilege escalation and persistence say SafeBreach.
Dell SupportAssist software is preinstalled on most Dell PCs. It proactively checks the system's hardware and software, and a signed driver is installed in addition to multiple services running as SYSTEM to give it the high-permission level required for the health checks. An ACL which allows any authenticated user to write files onto the ACL makes the privilege escalation ‘simple’ says SafeBreach, adding that it allows a regular user to write the missing DLL file and achieve code execution as SYSTEM.
In a company statement Dell said, "Dell SupportAssist is not made by PC-Doctor. The vulnerability discovered by SafeBreach is a PC-Doctor vulnerability, which is a third-party component that ships with Dell SupportAssist for PCs. More than 90 percent of customers to date have received the update, released on May 28, 2019, and are no longer at risk. Dell SupportAssist updates automatically if automatic updates are enabled, and most customers have automatic updates turned on."
In an email to SC Media UK, Jake Moore, cyber-security specialist at ESET noted: "This vulnerability highlights the issue of third party applications that are given partial access and could potentially be exploited by malware to gain administrator rights.
"It also highlights the threat caused by rogue insiders and could cause companies to lose brand confidence even when it isn’t entirely their fault. Many PCs could be affected and as usual it is vitally important that these machines are updated to the latest version. Putting off a patch will decrease protection levels instantly, however inconvenient it may seem at the time."
Dell has issued a security advisory notice for users of Dell SupportAssist for Business PCs version 2.0, or Dell SupportAssist for Home PCs version 3.2.1 or an earlier version, who are now vulnerable and need to update to at least Dell SupportAssist for Business PCs version 2.0.1 or Dell SupportAssist for Home PCs version 3.2.2.