Dell’s SupportAssist utility that comes pre-installed on millions of Dell laptops and PCs contains a security vulnerability that could allow malicious software or rogue logged-in users to escalate their privileges to administrator-level and access sensitive information.
Discovered by security researchers at SafeBreach Labs, the vulnerability, identified as CVE-2019-12280, is a privilege-escalation issue and affects Dell’s SupportAssist application for business PCs (version 2.0) and home PCs (version 3.2.1 and all prior versions).
Dell SupportAssist, formerly known as Dell System Detect, checks the health of your system’s hardware and software, alerting customers to take appropriate action to resolve them. To do so, it runs on your computer with SYSTEM-level permissions.
With this high-level privileges, the utility interacts with the Dell Support website and automatically detects Service Tag or Express Service Code of your Dell product, scans the existing device drivers and installs missing or available driver updates, along with performing hardware diagnostic tests.
However, researchers at SafeBreach Labs discovered that the software insecurely loads .dll files from user-controlled folders when run, leaving a spot for malware and rogue logged-in users to corrupt existing DLLs or replace them with malicious ones.
Therefore, when SupportAssist loads those tainted DLLs, malicious code gets injected into the program and executed within the context of an administrator, thus easily allowing the attacker to gain complete control of a targeted system.
“According to Dell’s website, SupportAssist is pre-installed on most of Dell devices running Windows. This means that as long as the software is not patched, the vulnerability affects millions of Dell PC users,” the researchers say.
What’s worrisome? Researchers believe that Dell is not the only company whose PCs are impacted by this particular security issue.
Since Dell SupportAssist is written and maintained by Nevada-based diagnostics and customer support firm PC-Doctor, other PC makers that bundle the same diagnostic and troubleshooting tools into their own computers with different names may also be vulnerable.
“After SafeBreach Labs sent the details to Dell, we discovered that this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components,” the researchers say.
Also, according to the PC-Doctor website, PC makers have “pre-installed over 100 million copies of PC-Doctor for Windows on computer systems worldwide,” which means the flaw also affects other OEMs that rely on PC-Doctor for specialized troubleshooting tools.
Since Dell’s SupportAssist software use a signed driver by PC-Doctor to access low-level memory and hardware, researchers demonstrated this vulnerability to read the content of an arbitrary physical memory address as a proof-of-concept.
SafeBreach Labs reported the vulnerability to Dell on 29th April 2019, and the company then reported the issue to PC Doctor and released fixes provided by PC-Doctor on 28th May for affected SupportAssist versions.
Dell Business and home PC users are recommended to update their software to Dell SupportAssist for Business PCs version 2.0.1 and Dell SupportAssist for Home PCs version 3.2.2 respectively.
It’s not the first time when Dell SupportAssist has been found affected by a severe security vulnerability.
In April this year, Dell also addressed a critical remote code execution vulnerability in the utility that would have allowed remote attackers to download and install malware from a remote server on affected Dell computers and take full control over them.