A vulnerability in the Dell SupportAssist software exposes Dell laptops and PCs to remote attacks that allow hackers to execute code with administrator privileges on devices using a version of the previous software.
Dell released a solution for this security issue on April 23. However, many users can remain vulnerable unless they have already updated the software, used for debugging, diagnostics, and automatic Dell driver & # 39; s updates.
The number of affected users is considered very high because the SupportAssist tool is one of the pre-installed applications on all Dell laptops and computers. The software is only supplied on devices with Windows, systems that are sold without an operating system are not affected.
According to Bill Demirkapi, a 17-year-old US security investigator, the Dell SupportAssist application has an "external code execution" vulnerability that, under certain circumstances, allows attackers to easily hijack Dell systems.
Because the Dell SupportAssist tool runs as administrators, attackers have full access to targeted systems if they are able to position themselves correctly to perform this attack.
The attack requires a compromise between the LAN or the router
"The attacker must be on the victim's network to perform an ARP spoofing attack and a DNS spoofing attack on the victim's machine to execute external code," Demirkapi told ZDNet in a conversation. by email.
It may seem difficult, but it is not as complicated as it sounds.
The attack could work in two cases: public WiFi networks or large corporate networks where at least one infected computer can be used to perform ARP and DNS attacks on Dell systems running the SupportAssist tool.
Another plausible scenario concerns situations where hackers have affected the user's local WiFi router and are able to adjust DNS traffic directly on the router.
As we have seen in recent months, hacking routers to hijack DNS traffic is no longer a sophisticated attack and is becoming more common, especially due to the sad state of router security
The attack does not require user interaction
As Demirkapi explained to ZDNet, the iframe will point to a sub-domain of dell.com, and a DNS spoofing attack from an attacker-controlled computer / router returns an incorrect IP address for the dell.com domain, causing the attacker Controlled the files sent and executed by the SupportAssist tool.
The good news is that Dell has taken the investigator's report seriously and has been working on CVE-2019-3719 for several months, which ended last week with the release of SupportAssist v126.96.36.199. Dell users are now welcome to install.
Fantastic work from dell here to solve this problem. Most other hardware vendors would not even have responded. Great find by Bill as always. Can't wait until he starts breaking Windows things 🙂 https://t.co/hp3SA6omRb
– Alex Ionescu (@aionescu) May 1, 2019
Evidence of the concept to reproduce an attack is available on GitHub, and Demirkapi has also released a demo video that shows how an attack can easily affect the safety of your device. The Demirkapi vulnerability report, for more technical details, is available on the young researcher's blog
Source: Dell laptops and computers that are vulnerable to remote kayaks