Any IT technician that has installed Windows knows how much of a pain it can be to install all of the correct drivers and keep them up to date. It's gotten easier over the years with improvements to Windows Update and the various tools that now exist to save us from manually downloading and updating drivers one by one.

New Ways to Attack

However, these tools may also provide new attack vectors. Dell SupportAssist is one such piece of software. Security researcher Bill Demirkapi recently discovered a remote code execution vulnerability in versions older than 3.2.0.90. An attacker sharing the network access layer with an impacted system can use the vulnerability to remotely execute malicious code and take complete control over an affected system. Bill notified Dell which issued a patch and posted a security advisory, and he also provided an excellent, thorough write up on his blog. Note that Bill is 17 years old, he certainly has a bright future ahead of him in IT Security!

How We Found & Fixed Impacted Clients

As with most MSPs, our clients have systems from various manufacturers including Dell. Dell SupportAssist comes preinstalled on most new Dell devices running Windows. Normally SupportAssist updates itself when it runs. However, it’s possible that the software has been disabled or isn’t updating for some reason. To see which of our managed systems were vulnerable, I ran a report in Datto RMM on all of our client systems which have Dell SupportAssist installed, and created a spreadsheet of systems with versions older than 3.2.0.90. I put together one script to install the latest version of Dell SupportAssist, and another to remove any installed versions:

To install/upgrade to the latest version of Dell SupportAssist (script adapted from here):

$source = "https://downloads.dell.com/serviceability/catalog/SupportAssistInstaller.exe"

$destination = ".\SupportAssistInstaller.exe"

# Check if Invoke-Webrequest exists otherwise execute WebClient

  if (Get-Command 'Invoke-Webrequest'){

    Invoke-WebRequest $source -OutFile $destination

  } else {

    $WebClient = New-Object System.Net.WebClient

    $webclient.DownloadFile($source, $destination)

  }

# Start the silent installation

  Start-Process -FilePath ".\SupportAssistInstaller.exe" -ArgumentList "/S"

To remove all installed versions of Dell SupportAssist:

Get-AppxPackage -all DellInc.DellSupportAssistforPCs | Remove-AppxPackage -AllUsers

Uninstall-Package -Name "Dell SupportAssist" -Force

To finish up, I created a component in Datto RMM to run each script on target devices, one for the install/upgrade script and one for the uninstall script. Then I ran them against target devices as required per the needs of our clients. I ran device audits and reports afterwards to make sure the components worked.

Lessons Learned - Avoiding Security Attacks

The lessons here are to pay attention to security advisories, patch quickly, and most of all to consider whether each piece of software you deploy with systems is necessary. Situations like this can be avoided in the first place if you reduce your attack surface by ensuring your systems don’t have unnecessary software installed. Even software that OEMs include that may be helpful can also expose your system to new vulnerabilities. And let’s all be thankful for security researchers like Bill Demirkapi. Dell and all Dell users owe him one!

At iuvo, we’re experts in network and data security. Download our white paper - Security in Layers - to learn more.