Critical Flaws Put Dell Wyse Thin Client Devices at RiskResearchers: Vulnerabilities Could Allow Remote Code Execution, Files Access
Researchers at the security firm CyberMDX have uncovered two significant vulnerabilities in certain Dell Wyse thin client devices that, if exploited, could enable threat actors to remotely run malicious code and access files on affected devices.
The potential impact of these vulnerabilities, coupled with the relative ease of exploitation, led to each receiving CVSS scores of 10 - the most critical.
These thin clients - small form-factor computers optimized for handling a remote desktop connection to other resources - are used by about 6,000 organizations in the U.S., especially in the healthcare sector, CyberMDX reports.
The vulnerabilities, which are tracked as CVE-2020-29491 and CVE-2020-29492, were discovered by CyberMDX researchers and brought to Dell's attention earlier this month. On Monday, Dell released an advisory and updates to help mitigate the two vulnerabilities and upgrade the operating systems used by these devices.
Oliver Tavakoli, CTO at the security firm Vectra, says the updates should be applied immediately because the two vulnerabilities can be easily exploited.
"All you need is a text editor and you can enable things like virtual network computing to the thin client," Tavakoli says. "The severity scores are what I would expect for a vulnerability that a middle-schooler should be able to exploit without having to resort to attack tools."
The two vulnerabilities are found in several versions of Dell Wyse thin client devices that run a lightweight operating system called ThinOs, according to a report by CyberMDX. The OS receives system updates, such as new firmware installations and other configurations, through a local FTP server, the report states.
The researchers found the FTP server used to connect to the operating systems is configured to have no credentials. And although firmware and package files found on the FTP server are digitally signed, INI files, which are used to store settings, are not, according to the report.
"Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices," the report states.
Whenever a Dell Wyse device connects to the FTP server, the device searches for the INI file, which is displayed as the username on the device.
"If this INI file exists, it loads the configuration from it," the researchers say. "This file is writable, so it can be created and manipulated by an attacker to control the configuration received by a specific user."
This opens up the Dell Wyse thin clients to the two vulnerabilities.
Two Flaws Described
The first bug, CVE-2020-29491, found in Dell Wyse thin clients running versions 8.6 or earlier of ThinOS, contains an insecure default configuration flaw. An attacker could exploit this vulnerability to gain access to the information on the local network, leading to the compromise of impacted thin clients, according to the report.
The second flaw, CVE-2020-29492, is found in the same versions of ThinOS. It contains an insecure default configuration vulnerability. A remote unauthenticated attacker could exploit this vulnerability to further access the writable file and manipulate the configuration of any target-specific station, the report states.
Researchers at CyberMDX and Dell are urging users to upgrade to ThinOS 9.x. For users running thin client devices that cannot upgrade to the latest version, both companies recommend disabling the FTP server that provides updates to the operating system.
Dell also recommends securing the environment by using a secure protocol, such as HTTPS, and ensuring that the file servers have read-only access.