A component in SupportAssist software pre-installed on Dell PCs – and other OEM devices – opens systems up to DLL hijacking attacks.

Millions of PCs made by Dell and other OEMs are vulnerable to a flaw stemming from a component in pre-installed SupportAssist software. The flaw could enable a remote attacker to completely takeover affected devices.

The high-severity vulnerability (CVE-2019-12280) stems from a component in SupportAssist, a proactive monitoring software pre-installed on PCs with automatic failure detection and notifications for Dell devices. That component is made by a company called PC-Doctor, which develops hardware-diagnostic software for various PC and laptop original equipment manufacturers (OEMs).

“According to Dell’s website, SupportAssist is preinstalled on most of Dell devices running Windows, which means that as long as the software is not patched, this vulnerability probably affects many Dell users,” Peleg Hadar, security researcher with SafeBreach Labs – who discovered the breach – said in a Friday analysis.

A patch has been issued by PC-Doctor that fixes impacted devices. Impacted customers can find the latest version of SupportAssist here (for single PC users) or here (for IT managers).

Dell sought to downplay the flaw, telling Threatpost that customers are urged to turn on automatic updates or manually update their SupportAssist software. Because most customers have automatic updates enabled, around 90 percent of customers to date have received the patch, said a Dell spokesperson.

“Our first priority is product security and helping our customers ensure the security of their data and systems,” the spokesperson said. “The vulnerability discovered by SafeBreach is a PC Doctor vulnerability, a third-party component that ships with Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs. PC Doctor moved quickly to release the fix to Dell, we implemented it and released updates on May 28, 2019 for the affected SupportAssist versions.”

The vulnerability stems from a component in SupportAssist, which checks the health of system hardware and software and requires high permissions. The vulnerable PC-Doctor component is a signed driver installed in SupportAssist. This allows SupportAssist to access the hardware (such as physical memory or PCI).

The component has a dynamic link library (DLL) loading vulnerability glitch that could allow a malicious actor to load an arbitrary unsigned DLL into the service. A DLL is a file format used for holding multiple processes for Windows programs.

When loading a DLL into the program, “No digital certificate validation is made against the binary,” said Hadar. “The program doesn’t validate whether the DLL that it will load is signed. Therefore, it will load an arbitrary unsigned DLL without any hesitation.”

Because the PC-Doctor component has signed certificates from Microsoft for kernel-mode and SYSTEM access, if a bad actor is able to load the DLL they would achieve privilege escalation and persistence – including read/write access to low-level components including physical memory, System Management BIOS, and more.

Hadar told Threatpost that a remote attacker could exploit the flaw. All that the bad actor would need to do is persuade the victim to download a malicious file (using social engineering or other tactics) to a certain folder.

“The required privileges are depends on the ‘PATH env’ variable of the user, if he has a folder which a regular user can write to, no high privileges are necessary,” Hadar told Threatpost.”After an attacker exploits the flaw he gains execution as SYSTEM within a signed service, basically he can do whatever he wants, including using PC-Doctor signed kernel driver in order read and write physical memory.”

Making matters worse, the component in SupportAssist also impact an array of other OEMs who are using rebranded versions of it – meaning that other unnamed OEM devices are vulnerable as well, said security researchers with SafeBreach Labs.

PC-Doctor did not disclose who the other impacted OEMs are, but did say that patches have been released to address “all affected products.”

“PC-Doctor became aware of an uncontrolled search path element vulnerability in PC-Doctor’s Dell Hardware Support Service and PC-Doctor Toolbox for Windows,” a PC-Doctor spokesperson told Threatpost. This vulnerability allows local users to gain privileges and conduct DLL hijacking attacks via a trojan horse DLL located in an unsecured directory which has been added to the PATH environment variable by a user or process running with administrative privileges. PC-Doctor takes software security seriously and as such has already released updates to all affected products to address the issue.”