Dell deployed a patch to fix a high severity DLL hijacking vulnerability in its SupportAssist software, that comes bundled with Dell business and personal PCs.
SupportAssist is support software that comes pre-installed on Dell home and business PCs. The software helps users identify hardware/software issues and address system performance issues.
CVE-2019-12280 – DLL hijacking
Researchers from SafeBreach Labs discovered the DLL hijacking vulnerability CVE-2019-12280 in the PC Doctor component of Dell’s SupportAssist software. SafeBreach first reported the issue to Dell on April 29, 2019 and Dell confirmed on May 8, 2019.
According to Peleg Hadar of SafeBreach, a bad actor could exploit the vulnerability in order to load an arbitrary unsigned DLL into a service that runs as SYSTEM. Bad actors can then perform privilege escalation and persistence to install malware or other nefarious deeds.
SafeBreach provided a detailed walk-through demonstration of how to pull off the DLL hijacking exploit. In addition, the company described two different ways an attacker can leverage the flaw, such as signed execution and whitelisting bypass.
Consequently, attackers could load and execute malicious files using a signed service. Thus bypassing built in safeguards, such as Microsoft’s Driver Signature Enforcement (DSE), used to crash OS when an unsigned kernel-mode driver is loaded.
The flaw impacts Dell SupportAssist for Business PCs version 2.0 and Home PCs version 3.2.1 (and all prior versions).
Dell recommends users upgrade their systems at the earliest opportunity. If users have automatic updates enabled, then the latest SupportAssist version should have automatically updated. If not, users can manually update the software.
Users and organizations should read the Dell advisory and also check their systems for latest updates, just to be safe.