Dell has released an update for two dangerous bugs in its SupportAssist software that it pre-installs on many Windows PCs to check the health of the system’s hardware and software.
Both of the flaws can be remotely exploited to compromise a Windows system. One of them, CVE-2019-3718, is caused by improper origin validation, and allows a remote attacker without valid credentials to exploit the bug and attempt a cross-site request forgery (CSRF) attack on vulnerable systems.
The second is a remote code execution (RCE) flaw (CVE-2019-3719) that allows an unauthenticated attacker to share the network access layer with the vulnerable system.
The attacker would need to trick a victim into downloading and executing a file from a malicious site within the SupportAssist client, according to Dell’s description.
The RCE flaw was found by 17 year-old independent security researcher Bill Demirkapi who posted a detailed writeup about the issue.
Demirkapi recently swapped an aging MacBook Pro for a Dell G3 15 laptop and decided to download SupportAssist on his clean build machine. He started investigating after reading Dell's product material and finding it “suspicious that Dell claimed to be able to update my drivers through a website.”
Dell claims the software will “proactively check the health of your system’s hardware and software”. On most new Windows Dell PCs it’s pre-installed but on clean builds a user needs to install the software -- an agent that connects to Dell’s support website via a browser in order to detect potential issues, such as outdated drivers.
Dell implemented a number of checks to ensure that files can only be downloaded through SupportAssist from legitimate Dell domains by using a whitelist of allowed file locations.
However, Demirkapi found other rules in SupportAssist code that could be exploited. One of them aims to ensure files aren’t downloaded over HTTP, likely to mitigate man-in-the-middle attacks. If the check finds a file URL that begins with http://, it replaces it with the secure https://.
Demirkapi realized that, in fact, a man-in-the-middle attack would do the trick, thanks to the instructions to replace a URL with https:// if it strictly starts with “http://“.
“If we could provide the SupportAssist client with a http:// URL, we could easily intercept and change the response! This somewhat solves the hardest challenge,” explained Demirkapi.
While he couldn’t intercept and change the contents of an HTTPS connection, he could exploit the strict rules around the HTTP to HTTPS swap and get a response that he could change. He came up with a dell.com URL that started with a space character at the front and then followed on with http://.
“The key bypass to this mitigation was in this sentence: “if the URL starts with http://, it will be replaced by https://”,” he explains.
“See, the thing was, if the URL string did not start with http://, even if there was http:// somewhere else in the string, it wouldn’t replace it. Getting a URL to work was tricky, but I eventually came up with “ http://downloads.dell.com/abcdefg” (the space is intentional). When you ran the string through the starts with check, it would return false, because the string starts with “ “, thus leaving the “http://” alone.”
Dell is urging customers using SupportAssist versions prior to 188.8.131.52 to install an update that resolves the two bugs.