OEM diagnostic software used by Dell and other manufacturers has a serious security flaw

SupportAssist, which comes pre-installed on millions of Dell PCs, is based on a platform called PC-Doctor, and it can be abused to give attackers system-level access to hardware and software.

How the malware landscape is evolving

A serious security flaw exists in diagnostic software used by Dell and other PC manufacturers, according to a Thursday blog post from cybersecurity firm Safebreach Labs.

The diagnostic software goes by the name SupportAssist on Dell PCs, but is actually a rebranded version of software written by PC-Doctor. The software in question is used by a number of different OEMs that manufacture Windows PCs, and typically comes pre-installed as a tool for monitoring hardware and software health.

To monitor the health of hardware and software components, PC-Doctor software requires high-level access to its host computers. That high-level access requirement is where the problem comes in: It can be exploited to give attackers elevated, persistent access to hundreds of millions of PCs with the software installed.

How PC-Doctor commits malpractice

Safebreach Labs tested the exploit using Dell SupportAssist, which it found used a variety of different PC-Doctor executables to gather system information. That in and of itself isn't the problem: It's how those executables go about gathering that info.

PC-Doctor uses a number of different DLL libraries that gather information from different sources and present them to SupportAssist. While testing to see what the DLLs did, SafeBreach found that several of the info-gathering modules looked for DLLs located in the PATH environment variable directory.

The PATH environment variable directory is generally a writeable directory for authenticated computer users, which means an attacker could theoretically drop a malicious DLL into it and have it executed by PC-Doctor software, which is precisely what Safebreach Labs' Peleg Hadar found.

Hadar loaded unsigned DLLs into the target directories, and PC-Doctor executed them without a second thought. It did this for two reasons:

  1. PC-Doctor isn't performing safe DLL loading. It loads DLLs using a command that doesn't allow a program to flag DLLs to be loaded only from known safe locations.

  2. PC-Doctor doesn't check for a valid digital certificate before loading a DLL. In other words, it will load any unsigned DLL.

If an attacker were able to make use of this vulnerability, they would be able to give themselves persistent elevated privileges, as well as be able to bypass application whitelists and signature validation.

The vulnerability would also allow attackers to bypass driver signature enforcement, which is designed to make windows crash if an unsigned kernel-mode driver is loaded. If done successfully the attacker would have full read/write primitive access.

Who is at risk?

All Dell PCs with SupportAssist are at risk, but the problem is far greater than that: PC-Doctor software is installed on a wide range of OEM machines.

Unfortunately, PC-Doctor hasn't revealed which OEMs these are, and since its software is generally rebranded to match the OEM, it's nearly impossible to know the full number of infected PCs.

Luckily, there's no known instance of this exploit being used in the wild—it's merely a proof of concept that has been presented to Dell and PC-Doctor, the latter of which said it will be releasing a security update sometime in June 2019 to address the issue.

Until the patch is released, Dell users should consider disabling SupportAssist to prevent it from running malicious DLLs. Users of other OEM PCs and IT teams should follow good security practices such as installing all system updates, not opening attachments from unknown sources, whitelisting acceptable software, and making sure firewalls are online.

Also see

Abstract padlock texture

Image: iStockphoto/peshkov