Flaw in Dell’s SupportAssist: The Help that Hurts

Many new Dell computers running Windows will come pre-installed with SupportAssist, which according to Dell’s website “provides automated, proactive and predictive technology that reduces troubleshooting steps and speeds up your resolution time.”  The only problem with this time-saving support is that it’s also giving hackers admin privileges to your device.

The exact number of affected end-users has not been released, but the SupportAssist application comes preloaded on all new Windows computers. Anyone who still has it running would be vulnerable to this kind of attack and needs to update their application right away or uninstall the Dell SupportAssist application completely. The vulnerability has been known since October last year, but a patch was just released on April 23^rd, 2019.  Devices that the company sells without Windows are not affected, since the app doesn’t come pre-installed.

What is SupportAssist?

Dell’s SupportAssist is an automated support solution for Dell personal computers, tablets, storage devices, servers, and networking devices. In fact it’s the first automated solution that offers proactive and predictive support for a device. It helps prevent downtime before it has even begun by evaluating and monitoring device health along with the health of the servers and storage devices. It’s a truly proactive and preempting support solution that predicts the solution required by a device and offers resolution for problems that have not even surfaced.

How The Attack Works

H/T to Bill Demirkapi, a 17-year old security researcher who discovered the SupportAssist app vulnerability and notified Dell about the bug a few months ago. He posted a full vulnerability report on his Github and a demo video of the attack.

The attack works by first sending users to a malicious web page, which Dell’s SupportAssist is then tricked into downloading and running malware on the users’ PCs.

SupportAssist runs with administrative privileges by default, something that doesn’t apply to the vast majority of Windows applications. Because of this, the attackers are able to gain administrative rights on the users’ PCs.

The most likely scenarios in which the attacker can exploit the app’s vulnerability remotely is when the victims are on a public Wi-Fi or large enterprise network, i.e. Wi-Fi at your local Starbucks, workplace, or school.

From there, the attacker can launch Address Resolution Protocol spoofing attacks, giving them access to legitimate IP addresses within the network, as well as DNS attacks. Network, system, and endpoint security are ever more important in curbing the vulnerabilities arising from the flaw.

How Syxsense Can Help

As of February this year, Dell issued patches that are said to fix the vulnerability stemming from the flaw in their SupportAssist program. For those who do not have automatic Dell SupportAssist updates or are unable to update to Dell SupportAssist for business PCs version 2.1.4 or Dell SupportAssist for home PCs version 3.4.1, Syxsense can offer a few solutions to remedy the situation:

1. Inventory Queries can assist in instantly showing which devices are affected because they have SupportAssist installed or verify which are safe because it’s not.
2. Software Distribution can be leveraged to uninstall the Dell software via the original installer or via a script.
3. Post-uninstall, Syxsense can re-verify that the software no longer exists.
4. Syxsense’s Remote Control feature can be leveraged to verify that additional admin accounts were not created on the individual endpoints.
5. With the help of endpoint security, all entry points and end points of end-user devices like laptops, desktops, tablets, and mobile devices can be secured to ensure that these devices don’t allow SupportAssist attacks to the client network or devices.
6. Patch management is a crucial solution that can help resolve the Dell SupportAssist attacks or high-rated threats similar to those posed by Dell’s SupportAssist flaw. In fact Dell has already resolved the issue through a patch management solution, as explained above. Patches that fix the vulnerabilities arising from the flaw in Dell’s SupportAssist solution can help preempt the occurrence of any probable security issues or threats.