Pre-loaded software update tools installed on laptops from five major OEM PC vendors can lead to a full system compromise in less than 10 minutes, according to an investigation conducted by Duo Security.
Acer, Asus, Dell, Hewlett-Packard, and Lenovo all had at least one vulnerability that could result in a man-in-the middle attack, allowing for a complete compromise of the affected machine, say researchers at Duo Labs, the company’s research arm.
“The Original Equipment Manufacturer software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware (or bloatware). Some apps do nothing more than add a shortcut to launch your web browser to a specific site,” according to the Duo Lab report "Out-of-the Box-Exploitation, A Security Analysis of OEM Updaters."
Pre-loaded OEM software has serious implications for system security. For example, in early 2015 adware called Superfish pre-installed on Lenovo laptops tampered with the Windows Platform Binary Table, allowing attackers to eavesdrop on unwitting users’ web browser traffic. Later in the year, some Dell computers became vulnerable to man-in-the-middle attacks because of an issue with the eDellRoot certificate authority.
“Every time something like this happens, we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any security review was performed,” the report states.
“The thing about software updaters is that they are inherently privileged. They have to run with full system permission in order to change and modify anything,” says Darren Kemp, an analyst and author of the Duo Lab report. “A lot of the vulnerabilities we found were easy to find and easy to exploit; it is a real enticing target for attackers.”
All vendors had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, which would allow a complete compromise of a system. In total, Duo Labs identified and reported twelve different vulnerabilities across all of the vendors.
Key findings included:
- Dell: one high-risk vulnerability involving lack of certificate best practices, known as eDellroot.
- Hewlett Packard: two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium- to low-risk vulnerabilities were also identified.
- Asus: one high-risk vulnerability that allows for arbitrary code execution as well as one medium-severity local privilege escalation.
- Acer: two high-risk vulnerabilities that allow for arbitrary code execution.
- Lenovo: one high-risk vulnerability that allows for arbitrary code execution.
“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities,” the report states.
Duo Security recommends that OEMs should consider hardening their updaters through the consistent use of Transport Layer Security (TLS) for the transmission of manifests and packages/executable files. TLS would have made exploitation of the flaws discovered highly improbable, with the exception of those like the eDellRoot issue, the researchers say.
Hewlett-Packard and Lenovo responded and moved quickly to fix high-risk vulnerabilities, says Steve Manzuik, director of security researcher with Duo Security. However, Duo Security found it “difficult to get a response” from Acer and Asus. “When we did get a response from them, just getting a follow-up or confirmation that ‘Yes we released a patch and are fixing it,’ proved to be very difficult. It required a lot of communication on our end to ensure that they are on the right track,” Manzuik says.
Short of explicitly disabling updaters and removing OEM components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components. However, Duo Security did provide users with some advice:
- Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before the system is used. Otherwise, reducing the attack surface should be the first step in any system-hardening process.
- Identify unwanted, unnecessary software and disable or uninstall it — less complexity generally results in fewer security flaws.
- Purchasing Microsoft Signature Edition systems may be beneficial, but it is not guaranteed to protect end users from flaws in OEM software altogether.
- Dell, HP, and Lenovo vendors (in specific cases) appeared to perform more security due diligence when compared to Acer and Asus.