[German]The Dell Support Assist Client, which ships with Dell devices, has several vulnerabilities that allow Remote Code Execution (RCE). Dell has therefore issued an appropriate security warning.
The details can be found in the DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities, which was released on April 23, 2019, but is still attracting attention [1, 2].
Dell SupportAssist Client with RCE vulnerabilities
Dell states that the Dell SupportAssist Client with versions prior to 22.214.171.124 is affected by multiple vulnerabilities. Dell writes:
Dell SupportAssist Client has been updated to address multiple vulnerabilities which may be potentially exploited to compromise the system.
The Dell SupportAssist client has been updated to address multiple vulnerabilities that could potentially be exploited to compromise the system. Workaround to upgrade the Dell SupportAssist Client to version 126.96.36.199.
Improper Origin Validation (CVE-2019-3718)
Dell SupportAssist client versions prior to 188.8.131.52 contain an impermissible source validation vulnerability. An unauthenticated remote attacker could exploit this vulnerability to attempt cross-site request forgery (CSRF) attacks on users of the affected systems. Dell rates this vulnerability with the CVSSv3 base score of 7.6, which is quite high.
Remote Code Execution Vulnerability (CVE-2019-3719)
Dell SupportAssist client versions prior to 184.108.40.206 included a vulnerability in the execution of remote code becomes possible. An unauthenticated attacker who shares the network access layer with the vulnerable system may compromise the vulnerable system. This is accomplished by the attacker causing an affected user to execute arbitrary executables from Web sites hosted by the attacker via the SupportAssist client. Dell rates this vulnerability with the CVSSv3 base score of 7.1 – which is quite high.
Dell recommends an immediate upgrade
The Dell SupportAssist Client version 220.127.116.11 and later fixes these vulnerabilities. Dell encourages all customers to upgrade to this version as soon as possible. You can download it from the following Dell page: