Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/24/2019
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Millions of Dell PCs at Risk Due to Software Flaw

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't.

SafeBreach Labs has found a problem with the disk trouble-shooting software that comes preinstalled on Dell Computers. It fails at DLLs. The software comes preinstalled on Dells that run Windows, which means that 100 million installs are at risk.

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't. The "Common.dll" library that was used in creation of the Assistant tool was part of an effort that was supposed to provide Dell with a lot of the low-level hardware accessing functionality that it needed available to it, including the option to load a DLL file.

The actual code in "Common.dll" as written by PC-Doctor, a Nevada based company which develops hardware-diagnostic software. They also sell the tool to Intel, Yokogawa, IBM and others.

The researchers said that there are two root causes for the vulnerability:

      1. "The lack of safe DLL loading. The code is using

LoadLibraryW

      , instead of using

LoadLibraryExW

    which allows defining the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR which searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn't validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation."

So, an attacker could load a DLL with this driver that could elevate its own privileges and run arbitrary code.

There have been others previously seeing some major problems with SupportAssist's drivers (which were also written by PC-Doctor) that can be readily exploited by attackers.

For example, a security researcher named Bryan Alexander found a vulnerability that would allow a non-admin user to send a message to the driver that would unlock access to the hardware.

Dell had already patched SupportAssist in April to reflect a problem outlined in CVE-2019-3719. In this vulnerability scenario, a user on the machine's LAN that visits a malicious web page could pick up JavaScript code that can trick the tool into downloading and running files from an attacker-controlled location.

Dell admitted the existence of the problem to SecurityNow. They have also just published a security advisory about it.

Dell told SN that PC-Doctor fixed the code and then, "released the fix to Dell, we implemented it and released updates on May 28, 2019 for the affected SupportAssist versions. More than 90% of customers to date have received the update and are no longer at risk. Most customers have automatic updates enabled, which is a general security best practice to keep software and systems up to date. We urge customers to turn on automatic updates or manually update their SupportAssist software."

Even if the download rate was that high, it still leaves 10 million users at risk.

When questioned on the download numbers Dell said: "We have data showing the number of updated downloads so we can confidently say more than 90% have downloaded the update."

Eric Goldman of PC-Doctor agrees with Dell's statement. He told Security Now: "I can confirm all affected customers had updates released, and most of the affected users have been upgraded."

When asked about the update propagation, he added: "I can confirm approximately 90% of all users -- any user running SupportAssist, PC-Doctor Toolbox for Windows, or a rebranded version of PC-Doctor Toolbox for Windows -- have upgraded to a fixed version."

As far as how OEM customers were affected, Goldman said: "The same technology in this product is also in PC-Doctor Toolbox for Windows, which is rebranded for other OEMs. These are smaller OEMs, so the impact is only in the thousands, not millions."

So, Dell got nailed by a third-party supply chain attack vector that they paid for. They seem to have taken reasonable mitigation steps, but even Dell admits there are 10 million users out there that need to update their tool, and they need to do it now.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...