A high-risk flaw in Dell’s software has put the computers of millions of people and companies at risk of exploits by remote attackers. The flaw is within Dell’s SupportAssist software, which is pre-installed on most Dell computers.
The flaw has been labelled CVE-2019-12280 and this is a DLL hijacking vulnerability. The weakness has arisen through the way that some components work, with the SupportAssist software.
Found in the OEM utility software by researchers at SafeBreach, the vulnerability can be exploited for privilege escalation. Such DLL hijacking vulnerabilities can be used to access low-level hardware with administrator-level access. SafeBreach informed Dell of the vulnerability in April.
What is SupportAssist?
SupportAssist monitors the health of software and hardware that is present on most Dell computers that run on the Windows operating system. The software can run diagnostics, identify issues, install drivers, and perform driver-update scans.
These health of system checks require elevated privileges and many of the associated services operate with SYSTEM permission.
The specific software components were written by diagnostics software company PC-Doctor. PC-Doctor is a Nevada-based diagnostic software firm. Once an attacker has access, they can potentially use a PC-Doctor signed kernel driver to write and read physical memory.
Who the Dell vulnerability affects
The vulnerability affect users who have Dell SupportAssist for Home PCs version 3.2.1 or Dell SupportAssist for Business PCs version 2.0, along with all prior versions. In total, more than 100-million copies of PC-Doctor for Windows have been installed on computers around the world.
The weakness will also affect OEMs that use rebranded versions of the PC-Doctor Toolbox for Windows software components. These include:
CORSAIR Diagnostics
CORSAIR ONE Diagnostics
Tobii I-Series Diagnostic Tool
Tobii Dynavox Diagnostic Tool
Staples EasyTech Diagnostics
The DLL flaw has now been fixed, with a patch that became available at the end of May and in early June.
However, if Dell PC owners do not have auto updating enabled, then they are recommend to upgrade the software manually, to ensure they receive the patch. Home users should upgrade to Dell SupportAssist for Home PCs version 3.2.2, while business users should upgrade to Dell SupportAssist for Business PCs version 2.0.1.
How the Dell vulnerability was be exploited
The vulnerability is located in a service called Dell Hardware Support. Upon initiation, this service activates the DSAPI.exe Windows process. This DSAPI.exe process in turn executes the pcdrwi.exe process.
A variety of services then run and these collect hardware and operating system information. These pieces of information have p5x extensions and they load DLL libraries, which collect the information that attackers can use. The attacher can then achieve privilege escalation by writing files to AlienFX.dll, LenovoInfo.dll, atiadlxy.dll, and atiadlxx.dll.
The researches at SafeBreach analysed the p5x executable, which is located in the Common.dll library. There are two root causes that are derived from this file:
- DLL files are loaded by a different library
- DLL files have an absence of validation
With these root causes, cyber criminals can execute unsigned DLLs.
Proof-of-concept
A proof-of-concept (PoC) exploit was initiated by researchers at SafeBreach, to demonstrate that it was indeed possible to load and execute unsigned DLLs. The vulnerability can be used for several different purposes, such as loading and executing malicious payloads through a signed service.
Cyber attackers can abuse this ability for the purpose of evasion and execution. An example of this is Application Whitelisting Bypass 2. Signature Validation Bypassing.
Dell SupportAssist track record
This is not the first time that researchers and reporters have found vulnerabilities in the Dell SupportAssist software, linked to the PC-Doctor driver. In 2018, a researcher reported another privilege escalation flaw, while in April 2019, an industry expert reported on another SupportAssist weakness that might be taken advantage of for code execution.
Don’t leave your company exposed to vulnerabilities
OmniCyber Security can ensure your company isn’t exposed by running penetration testing and vulnerability scanning.
Contact the Omni team today for more information on penetration testing.
