Critical Bugs in Dell Wyse Thin Clients Allow Code Execution, Client Takeovers

Dell has patched two critical security vulnerabilities in its Dell Wyse Slim Client Equipment, which are compact type-factor pcs optimized for connecting to a remote desktop. The bugs permit arbitrary code execution and the capability to obtain documents and qualifications, scientists explained.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Thin consumers comprise none of the standard processing energy or intelligence on board that normal PCs would have instead, they act as fewer-intelligent terminals that link to purposes hosted on a remote computer system. They’re usually employed in environments the place employers give workers obtain to only a selected established of purposes or assets or for distant personnel to link back to headquarters.

Wyse has been developing thin clients since the 1990s and was obtained by Dell in 2012. In the U.S. by itself, far more than 6,000 corporations and corporations are working with Dell Wyse slender customers inside of their network, with quite a few of these (but not all) staying healthcare companies, in accordance to researchers at CyberMDX, who learned the flaws.

As for how a lot of units are perhaps impacted, it’s unclear — but Dell has said in the earlier that there are “millions” of Dell Wyse Thin Shoppers deployed within just businesses.

The devices use ThinOS, which is remotely taken care of by default utilizing a nearby File Transfer Protocol (FTP) server, from which equipment pull new firmware, deals and configurations.

The initial bug (CVE-2020-29491) stems from the fact that Wyse Skinny Client units periodically ping the server in order to pull their most up-to-date configurations, the researchers uncovered. They do so with no authentication. The issue is that “the configuration for all skinny consumers are found on a remote server, accessible for everyone on the network to study,” Elad Luz, head of investigation at CyberMDX, informed Threatpost. “Meaning that a third-party in the network could also obtain people configuration information, and just by reading them, could potentially compromise a product. This is since these configuration data files might consist of credentials for different solutions of remote obtain.”

The 2nd bug (CVE-2020-29492) exists because the server where by those people configurations are saved permits go through-and-create access to its configuration documents, enabling any person in just the network to go through and change them applying FTP.

“The second vulnerability is the more naturally harmful of the two and permits all those documents to be published, providing the solution to change them. The two may possibly sound identical but they are taken care of as two various issues mainly because correcting just one particular of them does not repair the other,” Luz explained.

Collectively, the bugs pave the way for havoc, and regretably, are trivial to exploit.

“One of the principal motives this vulnerability is critical is that its attack complexity is really uncomplicated,” mentioned Luz. “All it normally takes is uploading an altered text configuration file to a configuration server through FTP. No authentication to the thin customer is demanded the only possible authentication is with the FTP server (for the uploading the configuration), but by default it is put in with no qualifications.”

Even if credentials ended up utilized, they would be the similar for the whole Wyse fleet in an group, which would however be an insecure technique, he pointed out.

Attackers would have to have to have obtain to the organization’s network in order to have out the attacks, which they can accomplish by an initial-obtain attack by means of email or by exploiting a different vulnerability.

INI File Modifications

One particular of the most concerning outcomes of an attack is the skill to “modify the INI file holding configuration settings for the skinny-consumer devices,” in accordance to a CyberMDX blog post issued on Monday.

The INI data files comprise a lengthy listing of configurable parameters, in accordance to the company. Examining or altering those people parameters opens the doorway to a selection of attack situations, like configuring and enabling digital network computing (VNC) for total distant regulate, leaking distant-desktop credentials, and manipulating DNS success.

“A basic example – those units can be configured to allow VNC (a type of distant desktop handle), credentials could be established, user prompt for this can be disabled,” Luz advised Threatpost. “Given that a malicious actor [uses] the VNC configuration inside the INI file, they will be equipped to obtain each desktop session from just about every of the skinny shoppers. This will obtain them the capability to remotely obtain information on all those distant desktops and run arbitrary code there. It is identical to having unrestricted access to the fleet of pc desktops within an corporation.”

Both equally flaws ended up presented CVSS vulnerability-severity scores of 10 out of 10.

“One of the most important issues is that security is generally forgotten for the duration of the style stage of these equipment,” stated Luz.

All Dell Wyse Slim Consumers functioning ThinOS variations 8.6 and below are afflicted. Dell has issued a patch, and admins really should update to variation 9.x in which doable. Other individuals may possibly have to use a workaround.

“Models which are compatible with ThinOs 9.x are now patched, other styles really should implement a distinct mitigation and perhaps wait for a newer release of ThinOs 8.x (could possibly be released this really week),” Luz stated.

There has so much been no proof of exploitation in the wild, he explained to Threatpost.

Obtain our exceptional Cost-free Threatpost Insider Book Health care Security Woes Balloon in a Covid-Era Environment , sponsored by ZeroNorth, to discover a lot more about what these security pitfalls imply for hospitals at the day-to-working day level and how health care security teams can implement ideal methods to safeguard companies and sufferers. Get the complete story and Obtain the E book now – on us!