The high-severity vulnerability (CVE-2019-12280) stems from a component in SupportAssist, a proactive monitoring software pre-installed on PCs with automatic failure detection and notifications for Dell devices. That component is made by a company called PC-Doctor, which develops hardware-diagnostic software for various PC and laptop original equipment manufacturers (OEMs).
Peleg Hadar, security researcher with SafeBreach Labs, who discovered the breach, said that SupportAssist is preinstalled on most of Dell devices running Windows, which means that as long as the software is not patched, this vulnerability probably affects many Dell users.
A patch has been released by PC-Doctor.
Dell sought to downplay the flaw, telling users to switch on automatic updates or manually update their SupportAssist software. Because most customers have automatic updates enabled, around 90 percent of customers to date have received the patch, said a Dell spokesperson.
SupportAssist, checks the health of system hardware and software and requires high permissions. The vulnerable PC-Doctor component is a signed driver installed in SupportAssist. This allows SupportAssist to access the hardware (such as physical memory or PCI).
The component has a dynamic link library (DLL) loading vulnerability glitch that could allow a malicious actor to load an arbitrary unsigned DLL into the service. A DLL is a file format used for holding multiple processes for Windows programs.
When loading a DLL into the program: “No digital certificate validation is made against the binary. The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation.”
Because the PC-Doctor component has signed certificates from Microsoft for kernel-mode and SYSTEM access, if a bad actor is able to load the DLL they would achieve privilege escalation and persistence – including read/write access to low-level components including physical memory, System Management BIOS, and more.