Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/24/2019
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Millions of Dell PCs at Risk Due to Software Flaw

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't.

SafeBreach Labs has found a problem with the disk trouble-shooting software that comes preinstalled on Dell Computers. It fails at DLLs. The software comes preinstalled on Dells that run Windows, which means that 100 million installs are at risk.

SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't. The "Common.dll" library that was used in creation of the Assistant tool was part of an effort that was supposed to provide Dell with a lot of the low-level hardware accessing functionality that it needed available to it, including the option to load a DLL file.

The actual code in "Common.dll" as written by PC-Doctor, a Nevada based company which develops hardware-diagnostic software. They also sell the tool to Intel, Yokogawa, IBM and others.

The researchers said that there are two root causes for the vulnerability:

      1. "The lack of safe DLL loading. The code is using

LoadLibraryW

      , instead of using

LoadLibraryExW

    which allows defining the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR which searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.

2. No digital certificate validation is made against the binary. The program doesn't validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation."

So, an attacker could load a DLL with this driver that could elevate its own privileges and run arbitrary code.

There have been others previously seeing some major problems with SupportAssist's drivers (which were also written by PC-Doctor) that can be readily exploited by attackers.

For example, a security researcher named Bryan Alexander found a vulnerability that would allow a non-admin user to send a message to the driver that would unlock access to the hardware.

Dell had already patched SupportAssist in April to reflect a problem outlined in CVE-2019-3719. In this vulnerability scenario, a user on the machine's LAN that visits a malicious web page could pick up JavaScript code that can trick the tool into downloading and running files from an attacker-controlled location.

Dell admitted the existence of the problem to SecurityNow. They have also just published a security advisory about it.

Dell told SN that PC-Doctor fixed the code and then, "released the fix to Dell, we implemented it and released updates on May 28, 2019 for the affected SupportAssist versions. More than 90% of customers to date have received the update and are no longer at risk. Most customers have automatic updates enabled, which is a general security best practice to keep software and systems up to date. We urge customers to turn on automatic updates or manually update their SupportAssist software."

Even if the download rate was that high, it still leaves 10 million users at risk.

When questioned on the download numbers Dell said: "We have data showing the number of updated downloads so we can confidently say more than 90% have downloaded the update."

Eric Goldman of PC-Doctor agrees with Dell's statement. He told Security Now: "I can confirm all affected customers had updates released, and most of the affected users have been upgraded."

When asked about the update propagation, he added: "I can confirm approximately 90% of all users -- any user running SupportAssist, PC-Doctor Toolbox for Windows, or a rebranded version of PC-Doctor Toolbox for Windows -- have upgraded to a fixed version."

As far as how OEM customers were affected, Goldman said: "The same technology in this product is also in PC-Doctor Toolbox for Windows, which is rebranded for other OEMs. These are smaller OEMs, so the impact is only in the thousands, not millions."

So, Dell got nailed by a third-party supply chain attack vector that they paid for. They seem to have taken reasonable mitigation steps, but even Dell admits there are 10 million users out there that need to update their tool, and they need to do it now.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-38258
PUBLISHED: 2021-10-25
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostProcessCallback().
CVE-2021-38260
PUBLISHED: 2021-10-25
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostParseDeviceConfigurationDescriptor().
CVE-2021-39223
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.t...
CVE-2021-39224
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is locat...
CVE-2021-39225
PUBLISHED: 2021-10-25
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. Ther...