Two critical vulnerabilities (CVE-2020-29491 and CVE-2020-29492) with CVSS score of 10 were discovered in specific Dell Wyse this client devices. The vulnerabilities could be exploited in remote code execution attacks to access files on compromised devices, and were reported by CyberMDX researchers.
What is a Dell Wyse thin client device? It is a small-factor computer which handles remote desktop connections to other resources. These devices are utilized by approximately 6,000 organizations in the United States, mostly in the healthcare sector.
Dell Wyse ThinOS Contains Critical Vulnerabilities
According to Dell’s official advisory, “Dell Wyse ThinOS 8.6 MR8 contains remediations for insecure default configuration vulnerabilities that could be potentially exploited to access a writable file that can be used to manipulate the configuration of a specific thin client and potentially gain access to sensitive information leading to the compromise of thin clients.”
The ThinOS operating system receives system updates via a local FTP server. According to the researchers, this FTP server is configured to have no credentials. What does the lack of credentials mean? “Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices,” CyberMDX has found.
“If this INI file exists, it loads the configuration from it,” the report explains. “This file is writable, so it can be created and manipulated by an attacker to control the configuration received by a specific user.” This condition creates two vulnerabilities in the Dell Wyse devices.
CVE-2020-29491 and CVE-2020-29492
The CVE-2020-29491 vulnerability, described as a default configuration flaw is located in devices running ThinOS versions 8.6 or earlier. Threat actors can exploit it to obtain access to the local network’s information leading to further compromise of impacted devices.
CVE-2020-29492 resides in the same version of the operating system, and is again related to insecure default configuration. A remote unauthenticated attacker could exploit the flaw to further access the writable file and manipulate the configuration of any target-specific station.
Users of the devices should update to the latest version of ThisOS – 9.x. If your organization is running a device which can’t update to the latest version, you should disable the FTP server to avoid attacks. Also, consider using HTTPS and make sure that the file servers have read-only access.
In May 2019, security researchers reported a dangerous RCE vulnerability in Dell’s SupportAssist Client software. The bug could allow remote unauthenticated attackers on the same Network Access layer to execute arbitrary code on vulnerable Dell machines.