Dell has issued a security update to patch a high-rated vulnerability that allows local attackers to run an arbitrary code with administrator privileges on affected computers. The issue was reported by Cyberark researcher Eran Shimony.
“Dell SupportAssist for business PCs and Dell SupportAssist for home PCs have been updated to address an uncontrolled search path vulnerability,” said the advisory announcement.
“A locally authenticated low privileged user could exploit this vulnerability to cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code,” it added.
The SupportAssist Client software flaw, rated 7.8 in severity, affects the versions installed in business PCs version 2.1.3 or earlier and for home PCs version 3.4 or earlier. What makes the issue alarming is the fact that the SupportAssist software is preinstalled on most of all new Dell devices running Windows operating system.
SupportAssist was placed to check the health of the system’s hardware and software, detect any issue and share the information with Dell to initiate troubleshooting.
Local access and a low privileged user on the system is needed to tap the flaw, making it comparatively less severe. However, instances of attackers abusing DLL search-order hijacking bugs like this one in binary planting attacks are common. Moreover, it allows scope for further compromise of the computer and five attackers an upper hand in later stages of attacks.
“Agents such as SupportAssist have access to users device in an autonomous way in order to monitor both hardware and software. SupportAssist agent’s minimum requirements are administration access privileges. This level of privilege combined with a vulnerability associated with remote code execution (RCE) could easily become widespread and very disruptive, and could potentially affects millions of PCs globally,” commented Eoin Keary, CEO and cofounder of edgescan.
“All versions of SupportAssist automatically upgrade to the latest version available if automatic upgrades are enabled. Customers can check which version they are running and upgrade to a newer version of SupportAssist if available,” said the advisory.
The process is a bit more complicated for business customers. Dell recommends following the Dell SupportAssist for business PCs deployment guide for deployment instructions.
“In a corporate environment, I'd suggest removing SupportAssist from all machines. It does not provide much value to corporate users. The idea of having agents enabled on a computer, running with administration access which can send data outside the corporate network, is a risk that should be removed,” said Keary.
“Obviously patching of systems on a continuous basis is also key to any robust cyber security posture. If you have never used SupportAssist, I would advise users to remove it. The same rule stands for any software on your computer. With more "moving parts" there are, the more complex it becomes to secure the attack surface and the larger becomes the risk.”
Dell last year patched a remote code execution vulnerability in the SupportAssist Client software. That flaw allowed unauthenticated attackers on the same network access layer with the targeted system to remotely execute arbitrary executables on vulnerable devices.