No it is not the Superfish crap-ware scandal again but thes vulnerabilities have been described as a ‘hackers best bud’ and a ‘drop everything and panic issue’. All these devices run Windows although it is not so much at fault as the companies that designed this support-ware without proper testing. Researchers have yet to find similar vulnerabilities in HP and other major OEMs but state that any remote support software is likely to have vulnerabilities.
Dell computers come with Dell System Detect which interacts with Dell Support ‘to provide a better and more personalised support experience’.
It includes CA root certificates called eDellRoot and DSDTestProvider that include a private key. This allows hackers to wirelessly monitor SSL communications from a spoofed wireless access point, send ‘death packets’ to replace the original key with their own, and gain access to the system.
It appears however that once the certificates are installed they cannot be removed by uninstalling the System Detect Software. Dell has provided a removal method that includes editing the registry which is laughably well beyond a typical computer users pay grade. Dell has worked with Microsoft and Intel Security (McAfee) to develop a removal program.
|
|
Lenovo Solution Centre v 3.1.004 and earlier contains multiple vulnerabilities to allow a hacker to execute arbitrary codes.
Carnegie Mellon University’s US-CERT (Computer Emergency Readiness Team) wrote “If a user has launched the Lenovo Solution Centre and an attacker can convince or otherwise trick a user into viewing a maliciously crafted web page, HTML email message or attachment, then an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.’
The software allows serious breaches including:
- CWE-732: Incorrect Permission Assignment for Critical Resource
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-353: Cross-Site Request Forgery (CSRF)
Lenovo System Update has also been exposed as having vulnerabilities. One of the vulnerabilities is located in the tool's help system and allows users with limited Windows accounts to start an instance of Internet Explorer with administrator privileges by clicking on URLs in help pages. That's because Lenovo System Update itself runs under a temporary administrator account that the application creates when installed, so any process it spawns will run under the same account.
The other is also related to the temporary administrator account and particularly to the way in which its name and password are generated. It is possible for an attacker to regenerate the same username based on the time the account was created.
Fortunately uninstalling the offending software does work. Lenovo has an advisory here.
Toshiba Service Station "allows your computer to automatically search for TOSHIBA software updates or other alerts from Toshiba that are specific to your computer system and its programs". An issue in Toshiba Service Station, versions 2.6.14 and below, can be exploited to read parts of the registry as SYSTEM by local users of lower privilege.
Uninstallation of this software will prevent exploitation of the issue. The researchers cannot sanction any mitigations except to remove this software definitively from any affected devices.
Millions of machines affected
In the third quarter alone Lenovo shipped 14.9 million units, Dell shipped over 10 million, and Toshiba shipped 810,000 units. The majority were to corporate and enterprise clients but consumers need to worry as well. The vulnerabities are for machines produced and sold literally up to today.
