17-year-old researcher Bill Demirkapi discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that comes pre-installed on most Dell computers. Dell SupportAssist, formerly known as Dell System Detect, checks the heath of your systems hardware and software.
The utility has been designed to interact with the Dell Support website and automatically detect Service Tag or Express Service Code of your Dell product, scan the existing device drivers and install missing or available driver updates, as well as perform hardware diagnostic tests. If you are wondering how it works, Dell SupportAssist in the background runs a web server locally on the user system, either on port 8884, 8883, 8886, or port 8885, and accepts various commands as URL parameters to perform some-predefined tasks on the computer, like collecting detailed system information or downloading a software from remote server and install it on the system.
Although the local web service has been protected using the “Access-Control-Allow-Origin” response header and has some validations that restrict it to accept commands only from the “Dell.com” website of its subdomains, Demirkapi figured out how to bypass these protections.
The remote code execution vulnerability, identified as CVE-2019-3719, affects Dell SupportAssist Client versions prior to version 220.127.116.11. Besides this issue, Dell has also patched an improper origin validation (CVE-2019-3718) vulnerability in the SupportAssist software that could have allowed an unauthenticated, remote attacker to attempt CSRF attacks on users’ systems.
Dell users are advised to either install the updated Dell SupportAssist 18.104.22.168 or later, or simply uninstall the application altogether, if not required, before hackers try to exploit the weaknesses to take full control over their computer systems.