Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/31/2016
04:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Pre-Loaded Laptop Software Comes With Security Risks

Laptops from Dell, HP, Asus, Acer and Lenovo all had at least one vulnerability that could result in complete compromise of system, Duo Security report says.

Pre-loaded software update tools installed on laptops from five major OEM PC vendors can lead to a full system compromise in less than 10 minutes, according to an investigation conducted by Duo Security.

Acer, Asus, Dell, Hewlett-Packard, and Lenovo all had at least one vulnerability that could result in a man-in-the middle attack, allowing for a complete compromise of the affected machine, say researchers at Duo Labs, the company’s research arm.

“The Original Equipment Manufacturer software landscape is complicated and includes a depressing amount of superfluous tools for vendor support, free software trials, and other vendor-incentivized crapware (or bloatware). Some apps do nothing more than add a shortcut to launch your web browser to a specific site,” according to the Duo Lab report "Out-of-the Box-Exploitation, A Security Analysis of OEM Updaters."

Pre-loaded OEM software has serious implications for system security. For example, in early 2015 adware called Superfish pre-installed on Lenovo laptops tampered with the Windows Platform Binary Table, allowing attackers to eavesdrop on unwitting users’ web browser traffic. Later in the year, some Dell computers became vulnerable to man-in-the-middle attacks because of an issue with the eDellRoot certificate authority.

“Every time something like this happens, we are reassured that the offending vendor of the day cares deeply about our security and privacy. Unfortunately, a cursory analysis of most OEM software reveals that very limited, if any security review was performed,” the report states.

“The thing about software updaters is that they are inherently privileged. They have to run with full system permission in order to change and modify anything,” says Darren Kemp, an analyst and author of the Duo Lab report.  “A lot of the vulnerabilities we found were easy to find and easy to exploit; it is a real enticing target for attackers.”

All vendors had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, which would allow a complete compromise of a system.  In total, Duo Labs identified and reported twelve different vulnerabilities across all of the vendors.

Key findings included:

  • Dell: one high-risk vulnerability involving lack of certificate best practices, known as eDellroot.
  • Hewlett Packard: two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium- to low-risk vulnerabilities were also identified.
  • Asus: one high-risk vulnerability that allows for arbitrary code execution as well as one medium-severity local privilege escalation.
  • Acer: two high-risk vulnerabilities that allow for arbitrary code execution.
  • Lenovo: one high-risk vulnerability that allows for arbitrary code execution.

“Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities,” the report states.

Duo Security recommends that OEMs should consider hardening their updaters through the consistent use of Transport Layer Security (TLS) for the transmission of manifests and packages/executable files. TLS would have made exploitation of the flaws discovered highly improbable, with the exception of those like the eDellRoot issue, the researchers say.

Hewlett-Packard and Lenovo responded and moved quickly to fix high-risk vulnerabilities, says Steve Manzuik, director of security researcher with Duo Security.  However, Duo Security found it “difficult to get a response” from Acer and Asus. “When we did get a response from them, just getting a follow-up or confirmation that ‘Yes we released a patch and are fixing it,’ proved to be very difficult. It required a lot of communication on our end to ensure that they are on the right track,” Manzuik says.

Short of explicitly disabling updaters and removing OEM components altogether, the end user can do very little to protect themselves from the vulnerabilities created by OEM update components. However, Duo Security did provide users with some advice:

  • Wipe any OEM system, and reinstall a clean and bloatware-free copy of Windows before the system is used. Otherwise, reducing the attack surface should be the first step in any system-hardening process.
  • Identify unwanted, unnecessary software and disable or uninstall it — less complexity generally results in fewer security flaws.
  • Purchasing Microsoft Signature Edition systems may be beneficial, but it is not guaranteed to protect end users from flaws in OEM software altogether.
  • Dell, HP, and Lenovo vendors (in specific cases) appeared to perform more security due diligence when compared to Acer and Asus. 
Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
nouvomarketing
50%
50%
nouvomarketing,
User Rank: Apprentice
6/1/2016 | 10:21:09 PM
Preloaded security threat
Does this annoy anybody else that you're brand new laptop comes with built in security risks?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4248
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
CVE-2020-8329
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...
CVE-2020-8330
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, preventing subsequent print jobs until the printer is rebooted.
CVE-2020-4231
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow an authenticated user to perform unauthorized commands due to hazardous input validation. IBM X-Force ID: 175335.
CVE-2020-4232
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to enumerate usernames to find valid login credentials which could be used to attempt further attacks against the system. IBM X-Force ID: 175336.