Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/24/2019
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Millions of Dell PCs at Risk Due to Software Flaw

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't.

SafeBreach Labs has found a problem with the disk trouble-shooting software that comes preinstalled on Dell Computers. It fails at DLLs. The software comes preinstalled on Dells that run Windows, which means that 100 million installs are at risk.

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't. The "Common.dll" library that was used in creation of the Assistant tool was part of an effort that was supposed to provide Dell with a lot of the low-level hardware accessing functionality that it needed available to it, including the option to load a DLL file.

The actual code in "Common.dll" as written by PC-Doctor, a Nevada based company which develops hardware-diagnostic software. They also sell the tool to Intel, Yokogawa, IBM and others.

The researchers said that there are two root causes for the vulnerability:

      1. "The lack of safe DLL loading. The code is using

LoadLibraryW

      , instead of using

LoadLibraryExW

    which allows defining the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR which searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn't validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation."

So, an attacker could load a DLL with this driver that could elevate its own privileges and run arbitrary code.

There have been others previously seeing some major problems with SupportAssist's drivers (which were also written by PC-Doctor) that can be readily exploited by attackers.

For example, a security researcher named Bryan Alexander found a vulnerability that would allow a non-admin user to send a message to the driver that would unlock access to the hardware.

Dell had already patched SupportAssist in April to reflect a problem outlined in CVE-2019-3719. In this vulnerability scenario, a user on the machine's LAN that visits a malicious web page could pick up JavaScript code that can trick the tool into downloading and running files from an attacker-controlled location.

Dell admitted the existence of the problem to SecurityNow. They have also just published a security advisory about it.

Dell told SN that PC-Doctor fixed the code and then, "released the fix to Dell, we implemented it and released updates on May 28, 2019 for the affected SupportAssist versions. More than 90% of customers to date have received the update and are no longer at risk. Most customers have automatic updates enabled, which is a general security best practice to keep software and systems up to date. We urge customers to turn on automatic updates or manually update their SupportAssist software."

Even if the download rate was that high, it still leaves 10 million users at risk.

When questioned on the download numbers Dell said: "We have data showing the number of updated downloads so we can confidently say more than 90% have downloaded the update."

Eric Goldman of PC-Doctor agrees with Dell's statement. He told Security Now: "I can confirm all affected customers had updates released, and most of the affected users have been upgraded."

When asked about the update propagation, he added: "I can confirm approximately 90% of all users -- any user running SupportAssist, PC-Doctor Toolbox for Windows, or a rebranded version of PC-Doctor Toolbox for Windows -- have upgraded to a fixed version."

As far as how OEM customers were affected, Goldman said: "The same technology in this product is also in PC-Doctor Toolbox for Windows, which is rebranded for other OEMs. These are smaller OEMs, so the impact is only in the thousands, not millions."

So, Dell got nailed by a third-party supply chain attack vector that they paid for. They seem to have taken reasonable mitigation steps, but even Dell admits there are 10 million users out there that need to update their tool, and they need to do it now.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.