Dell has pushed out a patch for a critical vulnerability in the diagnostic software running on millions of its laptops that could allow an attacker to gain control of a vulnerable machine.
The vulnerability is in the SupportAssist software that is pre-installed on many Dell machines and is used to run hardware and software checks on the computers during operation. The software runs with high privileges and researchers at SafeBreach discovered that a component of SupportAssist developed by PC-Doctor has a weakness that can be exploited in a number of different ways. Exploiting the vulnerability gives an adversary the ability to read write to the physical memory of the vulnerable machine.
“This is a serious security issue that would allow attackers access to system-level capabilities, giving them near total control over what’s happening on that machine and the ability to read, copy or alter any data in physical memory,” said Itzik Kotler, CTO and co-founder of SafeBreach.
The weakness also affects other products, including the PC-Doctor Toolbox for Windows, which is sold under a series of other names.
The researchers developed proof-of-concept exploits for the vulnerability and reported the bug to Dell in late April. After discovering that the issue was in a component provided by PC-Doctor, Dell sent the bug to the vendor, which developed a fix. Dell then pushed the patch to its automatic update service on May 28. The company said that most of its customers have automatic updates enabled, so the fix has been widely deployed at this point.
“More than 90% of customers to date have received the update and are no longer as risk. Most customers have automatic updates enabled, which is a general security best practice to keep software and systems up to date. Dell urges customers to turn on automatic updates or manually update their SupportAssist software. Dell’s first priority is product security and helping our customers ensure the security of their data and systems,” Dell’s statement says.
SupportAssist comes preinstalled on most of Dell’s business and consumer PCs and the software uses a signed driver from PC-Doctor in order to get access to a machine’s low-level memory and hardware. The SafeBreach researchers found an issue in one of the libraries that’s loaded in the PC-Doctor executable.
“Among the notable libraries which are loaded into the PC-Doctor .p5x executables is SysSpace.dll. This library provides a strong wrapper function to the physical memory reading functionality, called PhysicalMemory::read,” Peleg Hadar, a security researcher at SafeBreach, said in a post detailing the weakness and exploitation.
“The function opens a handle to the driver and sends the relevant IOCTL to the driver. The only remaining step was to figure out which parameters we needed to send to the function. We searched for a DLL which imports the PhysicalMemory::read function and uses it, so we could quickly understand how to use this function.”
Once he found a suitable DLL, Hadar was able to exploit the bug and read the physical memory of the target machine. After exploitation, Hadar said, an attacker could load and run any payload he chose and the payload would be executed by a trusted, signed service.
The vulnerability affects Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 3.2.1 and all prior versions.