Recent investigations have uncovered a significant security flaw within Dell’s SupportAssist utility, a pre-installed software feature on millions of Dell laptops and PCs that potentially exposes users to serious risks. Identified by researchers at SafeBreach Labs, this vulnerability—designated as CVE-2019-12280—affects both the SupportsAssist version for business environments (2.0) and the home PC version (3.2.1 and earlier).
SupportAssist’s primary role is to assess the operational state of a system’s hardware and software, alerting users to necessary actions for their maintenance. Operating with SYSTEM-level permissions, the utility connects with Dell’s support infrastructure to retrieve device specifications and automatically manage driver updates, along with conducting hardware diagnostics.
However, SafeBreach Labs found that the application is susceptible to privilege escalation due to its behavior of erroneously loading dynamic link library (.dll) files from user-defined directories. This oversight allows unauthorized users or malicious software to replace or corrupt existing DLLs, enabling the execution of harmful code with administrative privileges.
This inadequacy could lead to a wide range of malicious actions, essentially granting attackers takeover of the affected systems. The ease with which a compromised DLL could be injected into the SupportAssist process intensifies the potential impact of an attack, allowing malicious actors to operate undetected.
“SupportAssist is included by default on most Dell devices running Windows, meaning millions of users are affected unless an update is applied,” the researchers from SafeBreach Labs noted.
The implications of this vulnerability extend beyond Dell products; SafeBreach Labs suggested that any OEM utilizing the rebranded software from PC-Doctor, the company responsible for maintaining SupportAssist, could be at risk. This broader exposure was confirmed after SafeBreach shared its findings with Dell, prompting them to reach out to other manufacturers potentially impacted.
Given that PC-Doctor has reportedly distributed over 100 million copies of its diagnostic software globally, the vulnerability likely has implications for various other device manufacturers who have integrated similar troubleshooting tools.
Notably, this is not the first serious flaw identified in Dell’s SupportAssist software, reinforcing concerns about the overall security of pre-installed applications on enterprise and consumer devices. Earlier this year, Dell addressed another critical remote code execution vulnerability that allowed attackers to download malware remotely.
In light of these developments, Dell urges users of its SupportAssist for Business PCs to upgrade to version 2.0.1, and home PC users to transition to version 3.2.2 to mitigate these risks. Business owners and IT administrators should remain vigilant, ensuring not only that applicable updates are applied promptly, but also assessing the security posture of all pre-installed software on their devices.
It’s critical to understand that tactics from the MITRE ATT&CK framework, particularly under the categories of initial access, privilege escalation, and execution, are relevant in framing this vulnerability incident. These insights can help organizations fortify their defenses against potential exploitation of similar vulnerabilities.
In summary, as cybersecurity threats evolve, both consumer and enterprise users must stay informed about vulnerabilities in essential software tools and take proactive steps to safeguard their systems.