The vulnerabilities have a severity rating of 10 on a scale from 1 to 10 based on the ease of exploitation.
Dell has patched two critical security flaws in its Dell Wyse Thin Client Devices, which are optimized for connecting to a remote desktop. The vulnerabilities allow arbitrary code execution and access to files and credentials, according to researchers.
Thin clients are less intelligent terminals that connect to applications hosted on a remote computer. They lack the processing power and intelligence of conventional PCs. In environments where employers restrict access to a subset of applications or resources, or for remote workers to connect back to headquarters, VPNs are frequently employed.
Since the 1990s, Wyse has been developing thin clients, and in 2012, Dell acquired the company. According to CyberMDX researchers, more than 6,000 companies and organizations in the United States use Dell Wyse thin clients within their network, with many of these (but not all) being healthcare providers.
Uncertainty surrounds the number of potentially affected devices, but Dell has previously stated that “millions” of Dell Wyse Thin Clients are deployed within organizations.
The devices utilize ThinOS, which is maintained remotely by default using a local File Transfer Protocol (FTP) server, from which the devices retrieve new firmware, packages, and configurations.
The first flaw (CVE-2020-29491), discovered by researchers, stems from the fact that Wyse Thin Client devices periodically ping the server to retrieve their most recent configurations. They perform this without authentication. The problem is that “the configuration for all thin clients is located on a remote server, which is accessible to anyone on the network,” CyberMDX’s head of research told Threatpost. “Meaning that a third party in the network could potentially compromise a device by simply reading its configuration files. This is because configuration files may contain credentials for various remote access methods.”
The second vulnerability (CVE-2020-29492) exists because the server that stores these configurations allows read-and-write access to its configuration files, allowing anyone on the network to read and modify them via FTP.
“The second vulnerability is the more egregiously dangerous of the two because it allows those files to be written, allowing for their modification. “Although they may sound similar, they are treated as separate issues because resolving one does not resolve the other,” Luz explained.
Together, the flaws pave the way for chaos and are sadly easy to exploit.
“One of the primary reasons why this vulnerability is so serious is that its attack complexity is so simple,” Luz explained. “Uploading a modified text configuration file via FTP to a configuration server is sufficient. No authentication is required for the thin client; the only possible authentication is with the FTP server (for the configuration upload), but by default, it is installed without credentials.
Even if credentials were applied, they would be the same for an organization’s entire Wyse fleet, which would be an insecure method, he noted.
To carry out the attacks, attackers must gain access to the organization’s network, which they can do through an initial-access attack via email or by exploiting another vulnerability.
INI File Modifications
The ability to modify the INI file containing configuration settings for thin-client devices is one of the most alarming outcomes of an attack, according to a CyberMDX blog post published on Monday.
According to the company, the INI files contain a long list of configurable parameters. Reading or modifying these parameters enables numerous attack scenarios, such as configuring and enabling virtual network computing (VNC) for full remote control, leaking remote-desktop credentials, and manipulating DNS results.
“As an example, these devices can be configured to permit VNC (a type of remote desktop control), credentials can be set, and the user prompt can be disabled,” Luz told Threatpost. “If a malicious actor uses the VNC configuration within the INI file, they will be able to access every desktop session from every thin client. This will give them the ability to remotely access files and execute arbitrary code on remote desktops. It is comparable to having unlimited access to an organization’s fleet of desktop computers.”
Both vulnerabilities received CVSS severity scores of 10 out of 10.
During the design phase of these devices, security is frequently neglected, according to Luz.
Affected are all Dell Wyse Thin Clients running ThinOS versions 8.6 and lower. Dell has released a patch; administrators should update to version 9. x as soon as possible. Others might require a workaround.
Other models should apply different mitigation and possibly wait for a newer release of ThinOs 8. x (which could be released this week),” Luz explained.