Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
6/24/2019
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

Millions of Dell PCs at Risk Due to Software Flaw

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't.

SafeBreach Labs has found a problem with the disk trouble-shooting software that comes preinstalled on Dell Computers. It fails at DLLs. The software comes preinstalled on Dells that run Windows, which means that 100 million installs are at risk.

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't. The "Common.dll" library that was used in creation of the Assistant tool was part of an effort that was supposed to provide Dell with a lot of the low-level hardware accessing functionality that it needed available to it, including the option to load a DLL file.

The actual code in "Common.dll" as written by PC-Doctor, a Nevada based company which develops hardware-diagnostic software. They also sell the tool to Intel, Yokogawa, IBM and others.

The researchers said that there are two root causes for the vulnerability:

      1. "The lack of safe DLL loading. The code is using

LoadLibraryW

      , instead of using

LoadLibraryExW

    which allows defining the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR which searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn't validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation."

So, an attacker could load a DLL with this driver that could elevate its own privileges and run arbitrary code.

There have been others previously seeing some major problems with SupportAssist's drivers (which were also written by PC-Doctor) that can be readily exploited by attackers.

For example, a security researcher named Bryan Alexander found a vulnerability that would allow a non-admin user to send a message to the driver that would unlock access to the hardware.

Dell had already patched SupportAssist in April to reflect a problem outlined in CVE-2019-3719. In this vulnerability scenario, a user on the machine's LAN that visits a malicious web page could pick up JavaScript code that can trick the tool into downloading and running files from an attacker-controlled location.

Dell admitted the existence of the problem to SecurityNow. They have also just published a security advisory about it.

Dell told SN that PC-Doctor fixed the code and then, "released the fix to Dell, we implemented it and released updates on May 28, 2019 for the affected SupportAssist versions. More than 90% of customers to date have received the update and are no longer at risk. Most customers have automatic updates enabled, which is a general security best practice to keep software and systems up to date. We urge customers to turn on automatic updates or manually update their SupportAssist software."

Even if the download rate was that high, it still leaves 10 million users at risk.

When questioned on the download numbers Dell said: "We have data showing the number of updated downloads so we can confidently say more than 90% have downloaded the update."

Eric Goldman of PC-Doctor agrees with Dell's statement. He told Security Now: "I can confirm all affected customers had updates released, and most of the affected users have been upgraded."

When asked about the update propagation, he added: "I can confirm approximately 90% of all users -- any user running SupportAssist, PC-Doctor Toolbox for Windows, or a rebranded version of PC-Doctor Toolbox for Windows -- have upgraded to a fixed version."

As far as how OEM customers were affected, Goldman said: "The same technology in this product is also in PC-Doctor Toolbox for Windows, which is rebranded for other OEMs. These are smaller OEMs, so the impact is only in the thousands, not millions."

So, Dell got nailed by a third-party supply chain attack vector that they paid for. They seem to have taken reasonable mitigation steps, but even Dell admits there are 10 million users out there that need to update their tool, and they need to do it now.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35670
PUBLISHED: 2022-08-11
Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Expl...
CVE-2022-35671
PUBLISHED: 2022-08-11
Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR....
CVE-2022-35673
PUBLISHED: 2022-08-11
Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update 4 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute ...
CVE-2022-35674
PUBLISHED: 2022-08-11
Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update 4 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute ...
CVE-2022-35675
PUBLISHED: 2022-08-11
Adobe FrameMaker versions 2019 Update 8 (and earlier) and 2020 Update 4 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a mal...