SafeBreach Labs has found a problem with the disk trouble-shooting software that comes preinstalled on Dell Computers. It fails at DLLs. The software comes preinstalled on Dells that run Windows, which means that 100 million installs are at risk.
SafeBreach found that one library of software which was used to construct Dell's SupportAssist can be tricked into loading DLL files that it really shouldn't. The "Common.dll" library that was used in creation of the Assistant tool was part of an effort that was supposed to provide Dell with a lot of the low-level hardware accessing functionality that it needed available to it, including the option to load a DLL file.
The actual code in "Common.dll" as written by PC-Doctor, a Nevada based company which develops hardware-diagnostic software. They also sell the tool to Intel, Yokogawa, IBM and others.
The researchers said that there are two root causes for the vulnerability:
1. "The lack of safe DLL loading. The code is using LoadLibraryW, instead of using LoadLibraryExW which allows defining the search order using certain flags, such as LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR which searches the DLL only in its own folder, avoiding the scenario of searching the DLL in the PATH variable.
2. No digital certificate validation is made against the binary. The program doesn't validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation."
So, an attacker could load a DLL with this driver that could elevate its own privileges and run arbitrary code.
There have been others previously seeing some major problems with SupportAssist's drivers (which were also written by PC-Doctor) that can be readily exploited by attackers.
For example, a security researcher named Bryan Alexander found a vulnerability that would allow a non-admin user to send a message to the driver that would unlock access to the hardware.
Dell admitted the existence of the problem to SecurityNow. They have also just published a security advisory about it.
Dell told SN that PC-Doctor fixed the code and then, "released the fix to Dell, we implemented it and released updates on May 28, 2019 for the affected SupportAssist versions. More than 90% of customers to date have received the update and are no longer at risk. Most customers have automatic updates enabled, which is a general security best practice to keep software and systems up to date. We urge customers to turn on automatic updates or manually update their SupportAssist software."
Even if the download rate was that high, it still leaves 10 million users at risk.
When questioned on the download numbers Dell said: "We have data showing the number of updated downloads so we can confidently say more than 90% have downloaded the update."
Eric Goldman of PC-Doctor agrees with Dell's statement. He told Security Now: "I can confirm all affected customers had updates released, and most of the affected users have been upgraded."
When asked about the update propagation, he added: "I can confirm approximately 90% of all users -- any user running SupportAssist, PC-Doctor Toolbox for Windows, or a rebranded version of PC-Doctor Toolbox for Windows -- have upgraded to a fixed version."
As far as how OEM customers were affected, Goldman said: "The same technology in this product is also in PC-Doctor Toolbox for Windows, which is rebranded for other OEMs. These are smaller OEMs, so the impact is only in the thousands, not millions."
So, Dell got nailed by a third-party supply chain attack vector that they paid for. They seem to have taken reasonable mitigation steps, but even Dell admits there are 10 million users out there that need to update their tool, and they need to do it now.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.