Dell has copped to a flaw in SupportAssist – a Windows-based troubleshooting program preinstalled on nearly every one of its newer devices running the OS – that allows local hackers to load malicious files with admin privileges.
The company has issued an advisory about the flaw, warning that a locally authenticated low-privilege user could exploit the vuln to load arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of malware.
SupportAssist scans the system’s hardware and software, and when an issue is detected, it sends the necessary system state information to Dell for troubleshooting to begin.
This type of vulnerability is fairly common, but typically requires admin privileges to exploit, so isn’t generally considered a serious security threat. But Cyberark’s Eran Shimony, who discovered the bug, said that in this case, SupportAssist attempts to load a DLL from a directory that a regular (non-admin) user can write into.
“Therefore, a malicious non-privileged user can write a DLL that would be loaded by DellSupportAssist, effectively gaining code execution inside software that runs with NT AUTHORITY\System privileges,” Shimony told The Reg.
“This is because you can write a code entry inside a function called DLLMain (in the malicious DLL) that would be called immediately upon loading. This code piece would run in the privilege level of the host process.”
The flaw (CVE-2020-5316), which has a severity rating of “high”, affects Dell SupportAssist for business PCs version 2.1.3 or earlier and for home PCs version 3.4 or earlier.
Business users need to update to version 2.1.4 for and home desk jockeys should roll over to version 3.4.1 to get the fixes.