A vulnerability within the Dell SupportAssist utility exposes Dell laptops and private computer systems to a distant assault that may enable hackers to execute code with admin privileges on gadgets utilizing an older model of this software and take over customers’ methods.
Dell has launched a patch for this safety flaw on April 23; nonetheless, many customers are more likely to stay susceptible except they’ve already up to date the software –which is used for debugging, diagnostics, and Dell drivers auto-updates.
The variety of impacted customers is believed to be very excessive, because the SupportAssist software is likely one of the apps that Dell will pre-install on all Dell laptops and computer systems the corporate ships with a working Home windows OS (methods offered with out an OS usually are not impacted).
In response to Invoice Demirkapi, a 17-year-old safety researcher from the US, the Dell SupportAssist app is susceptible to a “distant code execution” vulnerability that underneath sure circumstances can enable attackers a straightforward option to hijack Dell methods.
As a result of the Dell SupportAssist software runs as admin, attackers could have full entry to focused methods, in the event that they handle to get themselves within the correct place to execute this assault.
Assault requires LAN/router compromise
“The attacker must be on the sufferer’s community in an effort to carry out an ARP Spoofing Assault and a DNS Spoofing Assault on the sufferer’s machine in an effort to obtain distant code execution,” Demirkapi advised ZDNet as we speak in an e-mail dialog.
This would possibly sound laborious, but it surely is not as sophisticated because it seems.
Two situations through which the assault might work embody public WiFi networks or giant enterprise networks the place there’s a minimum of one compromised machine that can be utilized to launch the ARP and DNS assaults towards adjoining Dell methods working the SupportAssist software.
One other believable situation is in conditions the place hackers have compromised the customers’ native WiFi router, and are ready to change DNS site visitors instantly on the router.
As we have seen prior to now few months, hacking routers to hijack DNS site visitors is not a complicated assault anymore and is going on increasingly more usually, primarily as a result of unhappy state of router safety [1, 2].
Assault requires no consumer interplay
As Demirkapi defined to ZDNet, the iframe will level to a subdomain of dell.com, after which a DNS spoofing assault carried out from an attacker-controlled machine/router will return an incorrect IP deal with for the dell.com area, permitting the attacker to regulate what recordsdata are despatched and executed by the SupportAssist software.
The excellent news is that Dell took the researcher’s report critically and has labored for the previous months to patch CVE-2019-3719, a job that concluded final week with the discharge of SupportAssist v184.108.40.206, which Dell customers are actually suggested to put in.
Proof of idea to breed an assault is offered on GitHub, and Demirkapi additionally revealed a demo video exhibiting how simply an assault can result in a full system compromise. Demirkapi’s vulnerability report, for extra technical particulars, is offered on the younger researcher’s weblog.