Dell computers became victims of RCE attacks by vulnerabilities in SupportAssist

Dell recently quietly released a new security update to patch the SupportAssist Client software vulnerability, potentially allowing attackers to not authenticate on the same Network Access layer using executable malware from away from arbitrary privileges on the victim's computer.

According to the information listed on Dell's website, SupportAssist software is "pre-installed on most new Dell devices running Windows operating systems" and it "is designed to actively test the health of the part system. When the problem is detected, the necessary system status information will be sent to Dell so that the manufacturer can begin to analyze and provide corrective measures. trouble".

Dell computers became victims of RCE attacks by vulnerabilities in SupportAssist Picture 1

1. Malware stored in Google Sites sends data to the MySQL server

Basically, SupportAssist is an extremely useful software, showing Dell's thoughtful self-interest in customer care policy. However, the tool contains a vulnerability that makes it unintentionally a malicious "hub" station, making it easy for Dell computer users to become victims of RCE attacks.

Most new Dell computers run the risk of being exposed to RCE attacks

According to an explanation from Dell, "first unauthenticated attackers will share network access layers with vulnerable systems, then take remote execution rights over Vulnerable system by tricking users (victims) to download and execute arbitrary executable commands through the SupportAssist client from the attacker's site ".

This tracked software vulnerability has a CVE-2019-3719 identifier and comes with a high severity rating of 8.0 according to the CVSSv3 rating set by the National Vulnerability Database (NVD), United States.

In fact, Dell patched SupportAssist software in late April after receiving a report of a vulnerability sent from 17-year-old security researcher Bill Demirkapi on October 10, 2018.

Dell computers became victims of RCE attacks by vulnerabilities in SupportAssist Picture 2

1. Apple updates XProtect to block 'Windows' malware on a Mac

In addition, Dell does not forget to recommend all its customers to update the SupportAssist Client as soon as possible, since all previous versions of 3.2.0.90 or higher are likely to become victims of attacks. remote code execution tool (RCE).

Incorrect validation root vulnerability has also been patched

In a related move, Dell has also performed an improper root validation error in the SupportAssist Client software reported by security researcher John C. Hennessy-ReCar, followed by a CVE identifier - 2019-3718 and comes with CVSS rating v3.0 high severity is 8.8.

The Dell said in the same security recommendation that "non-authenticated remote attackers have the ability to exploit this vulnerability to try to implement CSRF attacks targeted at users of the systems. affected".

Customers who want to protect themselves from potential attacks trying to exploit this software vulnerability are encouraged to update the SupportAssist application to the new version if they are using previous versions 3.2.0.90.

Security researcher Bill Demirkapi discovered that this RCE vulnerability could completely be exploited by attackers using ARP spoofing attacks and DNS to transmit the RCE payload to the victim's Dell computer. .

Dell computers became victims of RCE attacks by vulnerabilities in SupportAssist Picture 3

1. India's largest IT services company is hit by a hacker '

Bill Demirkapi then released a detailed technical description of the steps he took to explore the software flaw and proof of the concept of RC SupportAssist's RCE. In addition, this hacker also published a demo video on YouTube stating exactly the process:

1. Malicious ad campaigns abuse Chrome to steal 500 million iOS user sessions

This is not the first time that Dell's software has been found to contain vulnerable vulnerabilities to execute remote code execution attacks. Previously a similar security flaw was found by security researcher Tom Forbes in the Dell System Detect program in 2015. At that time, Forbes said that the vulnerability had "allowed an attacker to activate." The program aims to download and execute an arbitrary file without any user interaction. "