The SupportAssist software comes pre-loaded on most Dell laptops and desktops. It’s used to check for different hardware and software issues that could arise over the course of time on Dell machines. For example, it can be used to test whether the battery is in a healthy condition or not.
Unfortunately, the innocent-looking SupportAssist could open doors for attackers who can use it to achieve privilege escalation on Dell machines running Windows 10. The vulnerability was discovered by security firm SafeBreach Labs, the firm told Fossbytes in an email.
It’s estimated that around 100 million PCs could be at risk on which the SupportAssist might be installed.
Moreover, according to the security firm, the vulnerability (CVE-2019-12280) isn’t just limited to Dell. Like Dell, many other OEMs use a re-branded version of the diagnostic tool created by the PC Doctor.
The list of other affected software includes PC-Doctor Tool For Windows, which is also re-branded as CORSAIR Diagnostics Staples EasyTech Diagnostics, etc.
What’s the problem?
PC Doctor has developed the components that allow access to hardware such as PCI, physical memory, etc. The researchers were assuming that the program must have low-level access to system components to perform its desired operations.
Thanks to the vulnerability, when they ran the program on their virtual machine, the researchers found that they could easily load a custom-made DLL file for privilege escalation. This is because the program doesn’t validate whether a DLL being loaded is digitally signed or not.
An attacker can take advantage of the vulnerability and bypass techniques such as Application Whitelisting which is used to prevent unsafe apps from being installed on the machine.
SafeBreach researchers were able to create a proof-of-concept and were able to read/write data to the physical memory — and so can the attacker.
To prevent unsigned kernel-mode drivers from installing on the machine, Windows uses a mechanism called Driver Signature Enforcement. It crashes the system when it detects an unsigned driver being loaded.
But because of the vulnerability, the DSE has become useless. The program comes fitted with a driver that is already digitally signed and also authorized by Microsoft. So, the attacker might not need to load an unsigned driver to achieve read/write permissions.
The revelation comes after a non-disclosure policy that ends on June 19th. Dell has confirmed the existence of the bug after it was first reported back in April 2019. Further, the researchers have notified PC Doctor as well, and a security patch is expected to be released sometime in mid-June.
Dell has released security patches for the said vulnerability. It’s advised to update your machines well in time.