Are you a Dell customer? Be alert as Talos researchers have discovered that Dell’s pre-installed software contains vulnerabilities that could allow attackers to disable security programs. The flaws could also lead to escalation of privilege attacks.
More specifically, three separate vulnerabilities have been unearthed affecting specific Dell systems. Customers are advised to apply patches immediately. “Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace,” researchers said.
The vulnerability is a privilege escalation one, and exists in the SboxDrv.sys driver.
The flaw is a double fetch in the SboxDrv.sys driver. It is triggered by sending crafted data to the \Device\SandboxDriverApi device driver which is read/write accessible to everyone. In case of a successful, an arbitrary value is written to kernel memory space, which can then lead to local privilege escalation.
Known vulnerable devices are: Invincea-X, Dell Protected Workspace 6.1.3-24058.
The next flaw is CVE-2016-8732 and is located within the Invincea Dell Protected Workspace, a security solution by Dell that should provide enhanced protection for endpoint devices. However, Talos has located multiple flaws within one of the driver components – InvProtectDrv.sys – included in version 5.1.1-22303. “Due to weak restrictions on the driver communications channel, as well as insufficient validation, an attacker controlled application that is executed on an affected system could leverage this driver to effectively disable some of the protection mechanisms provided by the software,” Talos explains.
The flaw has been fixed in the 6.3.0 release of the software.
The vulnerability is of the protection bypass kind, which affects the Dell PPO Service that is part of the Dell Precision Optimizer application. During the start of Dell PRO Service, the program c:\Program Files\Dell\PPO\poaService.exe loads the c:\Program Files\Dell\PPO\ati.dll file. Then the atiadlxx.dll is attempted to load, which is not present by default in the app directory.
The program then tries to locate an appropriately named dll in the directories specified by the PATH environment variable, Talos explains. If such a dll is located, it will load it into poaService.exe without checking the signature of the file. This action can cause execution of arbitrary code in case an attacker supplies a malicious dll with the correct name.
A patch has been released by Dell. Versions from v4.0 onwards aren’t vulnerable.
All affected parties are urged to update as soon as possible.