Dell SupportAssist Bug Exposes Business, Home PCs to Attacks

[Porthos]

This is why I hate factory OEM update tools.

Dell published a security update to patch a SupportAssist Client software flaw which enables potential local attackers to execute arbitrary code with Administrator privileges on vulnerable computers.

According to Dell's website, the SupportAssist software is "preinstalled on most of all new Dell devices running Windows operating system."

SupportAssist also "proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin."

Could be used in binary planting attacks
As explained by Dell in its advisory, "A locally authenticated low privileged user could exploit this vulnerability to cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code."

This uncontrolled search path vulnerability reported by Cyberark's Eran Shimony is tracked as CVE-2020-5316, comes with a high severity CVSSv3 base score of 7.8, and it affects the following Dell SupportAssist versions:

• Dell SupportAssist for business PCs version 2.1.3 or earlier
• Dell SupportAssist for home PCs version 3.4 or earlier.
The company released Dell SupportAssist version 2.1.4 for business PCs and Dell SupportAssist version 3.4.1 for home PCs with fixes for the vulnerability.

Dell advises all customers to update the Dell SupportAssist software on their computers 'at the earliest opportunity,' seeing that all unpatched versions are vulnerable to attacks. If exploited, this vulnerability allows attackers to load and execute malicious payloads within the context of SupportAssist's binaries on unpatched machines.

While this flaw's threat level is not immediately obvious given that it requires local access and a low privileged user on the system to be abused, such security issues — some also requiring Admin privileges — are regularly rated with high severity CVSS 3.x base scores (1, 2).

Attackers abuse DLL search-order hijacking bugs like this one in binary planting attacks that allow for further compromise of the device and help them gain persistence in later stages of attacks.

https://www.bleepingcomputer.com/ne...ist-bug-exposes-business-home-pcs-to-attacks/

 

[phaZed]

Dell advises all customers to update the Dell SupportAssist software on their computers

We recommend and routinely remove this crap Problem solved.

 

[Porthos]

We recommend and routinely remove this crap Problem solved.

I do as well. But I have seen many posts here with people installing and using it and others like it for other brands.

 

[britechguy]

Well, I'm one of the contrarians on this one.

Most of the horror scenes where I have to clean up proverbial smoldering heaps of systems come directly from lack of all sorts of things being updated because the users will not do it themselves because they have zero awareness otherwise.

I use HP Support Assistant on my own HP machines and Toshiba Service Station on a Toshiba Laptop because it's invaluable to me to be notified ASAP when there are driver updates, BIOS/UEFI updates, and similar.

The risk from these utilities is infinitesimally small, and the advantages huge. I'll keep 'em, and encourage my clients to do the same. And make a point to clients that when it gives you a nudge that something needs to be updated to follow through on that nudge.

 

[phaZed]

I use HP Support Assistant on my own HP machines and Toshiba Service Station on a Toshiba Laptop because it's invaluable to me to be notified ASAP when there are driver updates, BIOS/UEFI updates, and similar.

The risk from these utilities is infinitesimally small, and the advantages huge.

Let me try to change your mind

I would rather have (and you should too!) a "vulnerable" driver that runs in protected space rather than have a DLL/Program running in user-space that is vulnerable. It's much easier (generally) to attack user space and then escalate privileges than it is to attack "kernel" space.

This should not make you warm and fuzzy inside:






Then just TODAY:
(Feb 10, 2020) Dell SupportAssist Bug Exposes Business, Home PCs to Attacks


It's these programs that put the computer at risk. It's actually fairly difficult for a "plain-Windows" to be defeated, remotely. It's always the 3rd party software that makes it easy.

 

[Sky-Knight]

SupportAssist I usually only install long enough to ID the system, then out it goes.

Dell Command Update... that's a different mess.

 

[britechguy]

Well, since HP Support Assistant is up to Version 8.8.24.33, those warnings apply to versions that have, themselves, been relegated to history.

When vulnerabilities are identified they tend to be addressed. I'll stick by my current practice.

 

[Sky-Knight]

Yeah, all software must be updated.

And given all the micro-code issues Intel has had, this issue is small potatoes against an out of date BIOS.

 

[britechguy]

And given all the micro-code issues Intel has had, this issue is small potatoes against an out of date BIOS.

And, Intel or AMD, the thing that most of "the great unwashed" will miss without prodding is BIOS/UEFI updates.

Even as a member of "the washed" I would not check as frequently as I likely should. Anything that nags me is a plus, and a far smaller threat.

 

[GTP]

I've made it a practise to reformat all new laptops I sell, simply to blow away recovery partitions, OEM junk, antivirus trials, preinstalled rubbish etc.
A fresh install of Windows then remove Edge, Cortana, ShellExperience Host, Windows Insider, XBox and all its associated garbage, Your Phone, Maps, People, Photos etc. as well as uninstall IEMI.
Then I run BlackBird to tidy up some telemetry and privacy stuff.
None of my clients use this junk so they appreciate it being gone.
Windows does a pretty good job of keeping itself updated and 99% of my clients are on my RMM plan, so updating is not an issue.

 

[britechguy]

@Barcelona: You clearly have an entirely different customer demographic than I do, as my clients (or most of them) would have a fit were Cortana (and, by extension Windows Search), Your Phone, and Photos to be removed just because I don't care for them.

I've openly said, and will continue to say, that it is a fool's errand to remove what comes packaged with the OS itself as it will reappear at some point in a Feature Update. This stuff takes up minimal disk space and virtually zero system resources if running in the background is disabled, which is a simple thing which is supported by Windows 10 Settings but which can also be done programmatically. These things can lie fallow and those who don't use them have no idea that they exist. If one really wants and needs that level of control then the Enterprise edition is the way to go, and that's generally used in large organizations that actually need it.

Last night I, by chance, got a notification from HP Support Assistant that a BIOS/UEFI update was available for my machine that has just come out over the last month. I probably wouldn't have been aware of this for months if I didn't bother to check, and I don't go checking the support pages for my machines on a frequent basis. That update is now installed because I was given a timely notification. If I can get customers to act on same then they're way ahead of the game when it comes to attempting to keep their own systems as secure as possible.