Unsafe out of the Box: Supply Chain Vulnerability Leaves 100 Million PCs Vulnerable
In 1965, consumer products attorney Ralph Nader wrote a book entitles “Unsafe at Any Speed” which was a scathing indictment on the American Automobile Industry’s reluctance to invest in and install life-saving automotive technologies. The book was widely hailed as a success because its publication prompted the passage of mandatory seat belt laws in 49 states (New Hampshire was the single holdout). There are stark parallels between the 1960’s automotive industry and the state of the IT industry’s supply chain. Just like automobile manufacturers preferred bright chrome dashboards which looked aesthetically pleasing, but caused temporary blindness to drivers when the sun reflected in their eyes, PC manufacturers insist on loading their bloatware onto their machines instead of locking them down against attack.
Bloatware is software that manufacturers such as Dell, Lenovo, and HP install on their machines on top of the base operating system that is unnecessary for the function of the device. When I recently updated to Windows 10 2018 Fall Creator’s Update, it came packaged with King Game’s Candy Crush Saga and DuoLingo foreign language learning software. The last time I purchased a Samsung Android phone, it came pre-installed with the Uber and Facebook applications and I could not uninstall them without making unauthorized modifications (rooting) to the device. One unfortunate side effect of the PC price wars is that OEMs such as Dell, Lenovo, and HP are so focused on having the absolute lowest price to compete, they often make up lost revenue by taking payments in exchange for pre-installing software on their machines. Whenever someone I know purchases a new PC, I immediately tell them to use a piece of software called “PC Decrapifier” which is a small utility that allows a user to easily uninstall all of the bloatware with just a few clicks. Not only does the extra software take up precious disk space, RAM, and CPU cycles, it also opens the machines to new and unnecessary attack surfaces. One of the core tenancies to hardening an OS install is to uninstall or disable any unnecessary services.
Last week, Dell disclosed a vulnerability in a component in their “SupportAssist” software that comes pre-installed on most machines it manufactures and sells. Dell’s website states that SupportAssist comes pre-installed on most of Dell devices running Windows. Ironically, the purpose of the SupportAssist software is to keep the system up to date with software patches and firmware updates. The way SupportAssist handles DLL files caused a privilege execution vulnerability. To avoid duplication of libraries and files, software manufacturers often rely on shared code repositories known as direct link libraries, or DLL files. When software launches, it calls the necessary DLL files to run. Many software vendors perform DLL checks to ensure the files were not tampered with and that they are authentic through the use of code signing.
Contrary to secure software development practices, Dell’s SupportAssist software loads any arbitrary DLL file that shares the same filename as a legitimate DLL it is attempting to load. SupportAssist performs no code signing verification, no integrity checking, or even the location of the DLL file. SupportAssist also runs with SYSTEM-level privilege, so any malicious process loaded would run with that same level of privilege.
In a security bulletin posted by Dell, they state that SupportAssist is a software package purchased from a third party company PC Doctor. PC Doctor declined to say whether other manufacturers are affected or whom they sell to, but an analysis of the SupportAssist software and PC Doctor’s website lead researchers to believe that at least Lenovo is believed to be affected. One of the DLL files Support Assist searches for and will load named LenovoInfo.dll and there is no legitimate reason this file should be present on a machine manufactured by Dell. The number of affected devices is estimated to be in the hundreds of millions.
The silver lining to this story is that SupportAssist has a built-in update mechanism that is enabled by default. The update mechanism allows Dell to roll out a security hotfix and have affected machines should update themselves to patch the vulnerability. However, as seen with the EternalBlue vulnerability, which was patched over two years ago, Shodan still shows vulnerable machines connected to the internet.
Rather than relying on a self-updating mechanism, the most effective way to protect users against malicious DLL files is to use a Cloud-based Sandbox. DLL files are easy to modify, so MD5 or signature-based antimalware is typically not enough to detect and prevent these types of attacks. Since SecureAssist performs no integrity or code signing checks, any DLL file with the correct file name is enough to infect a vulnerable system. Having a cloud sandbox ensures that users are protected no matter where they work: in the office, at home, in a coffee shop, hotel, and the like. A cloud sandbox also benefits users that if a user attempts to download a DLL file and that file is deemed malicious by the cloud sandbox, that file is immediately blacklisted for every user of the multi-tenant cloud sandbox, not just the user or organization that discovered the file. A cloud sandbox or any sandboxing product is only as useful as the traffic it can read, so combining a cloud sandbox with SSL inspection would give the highest probability that a mallows PDF file is blocked. With over 80% of all web traffic today is encrypted with SSL or TLS encryption, the ability to inspect this traffic should be table stakes for any serious security solution. New OEM PCs must be considered insecure out of the box. Uninstalling unnecessary software and services will significantly limit the attack surface. Wiping a machine and using the Windows 10 Long Term Service Channel (LTSC) also strips away all of the unnecessary bloatware that comes with new PCs and updates of Windows 10.