Dell PCs running Windows operating system are reportedly vulnerable to “high severity” security vulnerability. Apparently, Dell’s SupportAssist, a utility that’s meant to help to diagnose and solve problems, could allow attackers to gain complete control of the PCs by executing unsigned and unapproved code. Being aware of the security threat, Dell has released two security patches for SupportAssist in as many months. However, unpatched systems continue to remain vulnerable to privilege escalation attacks.

Dell has just released a second patch for SupportAssist software. The software is essentially a set of tools that assists in diagnosing common problems and issues within the operating system. The application also offers a number of methods to address these issues. Incidentally, unofficially referred to as bloatware, Dell’s SupportAssist is pre-installed on majority of the PCs that Dell ships. Unfortunately, a few bugs within the software can potentially allow hackers a way to compromise a vulnerable or unpatched computer.

Addressing the security concerns, Dell has released updates for SupportAssist for Business and SupportAssist for Home. Apparently, vulnerabilities lie in a component called PC Doctor. The software is a popular product from a U.S. software vendor. The vendor is the preferred developer by many PC makers. PC Doctor is essentially diagnostics software to hardware. OEMs regularly deploy the software on the computers they sell to monitor a system’s health. It is not clear if the PC Doctor merely looks for common issues and offers solutions or helps OEMs remotely diagnose problems.

Dell quietly patched a SupportAssist vulnerability that affected millions of users by @jeffstone500

— CyberScoop (@CyberScoopNews) June 21, 2019

SupportAssist ships with most Dell laptops and computers running Windows 10. Back in April this year, Dell released a patch for a serious security bug after an independent security researcher found the support tool could be used by remote attackers to take over millions of vulnerable systems. The bug existed in Dell’s SupportAssist code itself. However, the security vulnerability was present inside a third-party software library provided by PC Doctor.

Security researches discovered the flaw in a file called “Common.dll”. It is not immediately clear if both SupportAssist and PC Doctor is needed to execute the privilege escalation attack or mere PC Doctor is enough. Experts, however, caution that other OEMs besides Dell, who rely on the software, should run a security check to ensure their solutions are not vulnerable to the hack.

Dell has already issued a security advisory after releasing the patch. Dell is strongly urging users of its branded PCs to update the Dell SupportAssist. Dell SupportAssist for Business PCs currently sits at version 2.0, and Dell SupportAssist for Home PCs is on version 3.2.1. The patch alters the version number after it is installed.

Despite the different version numbers, Dell has tagged the security vulnerability with a single code, “CVE-2019-12280”. After the patch is installed, the Dell SupportAssist for Business PCs gets version 2.0.1, and that of Home PCs goes up to 3.2.2. All the previous versions continue to remain vulnerable to the potential threat.

SupportAssist, which comes pre-installed on millions of Dell PCs, is based on a platform called PC-Doctor, and it can be abused to give attackers system-level access to hardware and software.

— TechRepublic (@TechRepublic) June 21, 2019

How Does The Privilege Escalation Attack On Dell PCs With SupportAssist Work?

As mentioned above, SupportAssist ships with most Dell laptops and computers running Windows 10. On Windows 10 Dell machines, a high-privilege service called ‘Dell Hardware Support’ seeks out several software libraries. It is this security privilege and the high number of requests and default approvals of software libraries that can be used by a local attacker to gain escalated privileges. It is important to note that while the previous security vulnerability could be exploited by remote attackers, the most recently discovered bug requires the attacker to be on the same network.

A local attacker or a regular user could replace a software library with one of their own to achieve code execution at the operating system level. This can be achieved by using a utility library used by PC Doctor called Common.dll. The problem lies in the way this DLL file is treated. Apparently, the program doesn’t validate whether the DLL that it will load is signed. Allowing a replaced and compromised DLL file to run unchecked is one of the most severe security risks.

Surprisingly, besides PCs, other systems that rely on PC Doctor as their base for similar diagnostic services could be vulnerable too. Some of the most popular products include Corsair Diagnostics, Staples EasyTech diagnostics, Tobii I-Series diagnostic tool, etc.