Flaw in Dell’s SupportAssist: The Help that Hurts
Most Dell computers are affected by a flaw in SupportAssist that is giving hackers admin privileges to devices.
Many new Dell computers running Windows will come pre-installed with SupportAssist, which according to Dell’s website “provides automated, proactive and predictive technology that reduces troubleshooting steps and speed up your resolution time.” The only problem with this time-saving support is that it’s also giving hackers admin privileges to your device.
The exact number of affected end – users has not been released, but the SupportAssist application comes preloaded on all new Windows computers. Anyone who still has it running would be vulnerable to this kind of attack and needs to update their application right away. Or uninstall the application completely. The vulnerability has been known since October last year, but a patch was just released April 23rd, 2019. Devices that the company sells without Windows are not affected, since the app doesn’t come pre-installed.
How The Attack Works
H/T to Bill Demirkapi, a 17-year old security researcher who discovered the SupportAssist app vulnerability and notified Dell about the bug a few months ago. He posted a full vulnerability report on his Github and a demo video of the attack.
The attack works by first sending users to a malicious web page, which Dell’s SupportAssist is then tricked into downloading and running malware on the users’ PCs.
SupportAssist runs with administrative privileges by default, something that doesn’t apply to the vast majority of Windows applications. Because of this, the attackers are able to gain administrative rights on the users’ PCs.
The most likely scenarios in which the attacker can exploit the app’s vulnerability remotely is when the victims are on a public Wi-Fi or large enterprise network, i.e. Wi-Fi at your local Starbucks, workplace, or school.
From there, the attacker can launch Address Resolution Protocol spoofing attacks, giving them access to legitimate IP addresses within the network, as well as DNS attacks.
How Syxsense Can Help
Syxsense can offer a few solutions for the situation:
- Inventory Queries can assist in instantly showing which devices are affected because they have SupportAssist installed or verify which are safe because it’s not.
- Software Distribution can be leveraged to uninstall the Dell software via the original installer or via a script.
- Post-uninstall, Syxsense can re-verify that the software no longer exists.
- Syxsense’s Remote Control feature can be leveraged to verify that additional admin accounts were not created on the individual endpoints.