Flaw in pre-installed software opens Dell computers to remote hijack

Dell computer owners should update the Dell SupportAssist software as soon as possible to close a high-risk remote code execution vulnerability.

What is Dell SupportAssist?

SupportAssist is software that comes pre-installed on most Dell laptops and computers running Windows.

It has administrator-level access to the operating system and uses it to identify issues, run diagnostics, driver-update scans, and install drivers.

About the vulnerability (CVE-2019-3719)

CVE-2019-3719 is not deemed to be critical as it can’t be exploited by attackers who are not on the same local network as the victim.

Still, instances where that can happen are far from rare. For example, it’s enough for the attacker to be connected to the same public wireless network or enterprise network the potential victim is.

To successfully pull off the attack, the attacker must trick the target into visiting a website booby-trapped with the exploit – no other user interaction is required.

Bill Demirkapi, the researcher who discovered and flagged the flaw to Dell, has created a PoC exploit taking advantage of it.

He also published a very detailed write-up where he explained, step by step, how the attack would work.

It does require some skill by the attackers: they need to intercept the software’s update request to a Dell domain and redirect the victim to the booby-trapped site, most likely by mounting an ARP spoofing and a DNS spoofing attack or by compromising the network’s router.

A fix is available

The good news is that Dell has pushed out a fix late last month: users are advised to upgrade their Dell SupportAssist Client to version 3.2.0.90 and later or uninstall the software entirely.