Introduction

A critical vulnerability impacting Dell’s SupportAssist software could allow a remote attacker to execute code with admin privileges on impacted devices.  SupportAssist is installed by default on all Dell laptops and PCs and may also be installed or updated when visiting Dell’s Support website.

Technical Information

To exploit the vulnerability an attacker could lure a target to a malicious web page which would then allow remote code to compromise the SupportAssist tool.  Since the SupportAssist tool has admin privileges the attacker would then have full access into the system.

Steps Taken by Tier1Net

Tier1Net has identified all impacted devices within its customer networks and is deploying the patch which was recently released by Dell.  The patch should run with no user intervention required.

Recommendation for Home Users

For home users with Dell PCs please visit this Tier1Net knowledgebase article for instructions on identifying whether SupportAssist is installed and in need of the update.

Additional Information

https://www.dell.com/support/article/us/en/19/sln316857/dsa-2019-051-dell-supportassist-client-multiple-vulnerabilities?lang=en
https://www.zdnet.com/article/dell-laptops-and-computers-vulnerable-to-remote-hijacks/

On Tuesday, February 16th, Google posted a blog outlining a vulnerability in glibc (the GNU C library) which is used in many products and leaves those products vulnerable to remote exploitation. The vulnerability, identified as CVE-2015-7547, is similar to Heartbleed and Shellshock in terms of the scope of affected systems, but is not as serious as it is significantly more difficult to exploit.

Successful exploitation of the vulnerability relies on the potential victim communicating with a hostile/malicious DNS server or to be subject to a man-in-the-middle attack. Nevertheless, the vulnerability is considered to be critical by the industry since it can lead to remote exploitation of the client system.

This vulnerability is being seen across the industry and Dell SonicWALL is working quickly to provide a hot-fix and patch to ensure continued protection with Dell SonicWALL SRA/SMA Series.

For Tier1net customers using Dell SonicWALL SSLVPN SRA Appliances:

•  All SRA firmware versions prior to 8.1.0.1-11sv for SRA 4600/1600/Virtual Appliance and 8.0.0.4-25sv for SRA 4200/1200 are affected.
•  Action: Tier1net will open trouble tickets for all impacted customers and install the Dell SonicWALL patch to resolve this vulnerability

If you also have Dell SonicWALL firewalls deployed, please note: The Dell SonicWALL threat research team successfully published an Intrusion Prevention Service (IPS) signature on Tuesday, February 16th that automatically updated all customer systems running IPS worldwide, protecting networks behind our firewalls within 12 hours of identification. Dell SonicWALL firewalls are not susceptible to the glibc buffer overflow vulnerability.

Full details about the vulnerability and protection can be found in this SonicAlert article.

Read How Dell SonicWALL Guards Against the Glibc Vulnerability blog by Ken Dang from SonicWALL.

 

 

Dell recently notified Tier1net of a security vulnerability within its Dell Foundation Services that run on Dell PCs and laptops.  This could allow for a man in the middle attack to decrypt sensitive data transmitted from a PC or laptop running the Dell Foundation Services software.

As part of Tier1Net’s standard pre-configuration process, the Dell Foundation Services are removed by default so Tier1net customer’s risk of exposure should be minimal.  For the few client machines which have still have the software installed, Tier1Net will be running a tool to remove the vulnerability.

Dell has issued a statement apologizing for the oversight and will not be installing this certificate on any future machines.

For more on Dell’s statement, read below:

“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system.  The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process. We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”

Read more here: http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate