Critical vulnerabilities tracked as CVE-2020-29492 and CVE-2020-29491 affect several Dell Wyse thin client models that could be exploited by a remote attacker to execute malicious code and gain access to arbitrary files.
In computer networking, a thin client is a simple (low-performance) computer that has been optimized for establishing a remote connection with a server-based computing environment. The server does most of the work, which can include launching software programs, performing calculations, and storing data.
Dell Wyse thin client models are widely adopted in the healthcare sector, in the US only, it is estimated that around 6000 organizations are using them.
Both CVE-2020-29492 and CVE-2020-29491 reside in the ThinOS operating system that runs on Dell Wyse thin clients.
Cybersecurity firm CyberMDX discovered that it is possible to access the thin clients via FTP without providing credentials, using “anonymous” user.
The researchers also discovered the update process for the firmware and packages doesn’t rely on digital signature of the code.
“Dell advises creating an FTP server using Microsoft IIS (no specific guidance), then giving access to firmware, packages, and INI files accessible through the FTP server. The FTP is configured to have no credentials (“anonymous” user). While the firmware and package files found on the FTP server are signed, the INI files used for configuration are not.” reads the advisory published by the company.
“Additionally, there is a specific INI file on the FTP server that should be writable for the connecting clients (this is by design). Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices.
Moreover, even if credentials were set, they would be shared across a large fleet of clients, allowing them to alter each other’s INI configuration files.”
Experts discovered that an INI file on the FTP server should be writeable for the connecting clients.
The experts pointed out that even setting the username and password would not enough to protect the devices because the credentials would be shared across a large fleet of clients. This means that each client could modify the INI configuration files used by other clients because every time a Dell Wyse device connects to the FTP server, it gets the configuration from the INI file.
The INI file can be created and manipulated by an attacker to deliver a malicious configuration to a specific user.
“The INI files contain a long list of configurable parameters detailed on more than 100 pages by official Dell documentation.” concludes the advisory.
“Reading or altering those parameters opens the door to a variety of attack scenarios. Configuring and enabling VNC for full remote control, leaking remote desktop credentials, and manipulating DNS results are some of the scenarios to be aware of.”
The vulnerabilities affect the following Dell Wyse models running ThinOS 8.6 and below:
Model | Compatibility | |
ThinOS Version 8.x | ThinOS Version 9.x | |
Wyse 3020 | Yes | – |
Wyse 3030 LT | Yes | – |
Wyse 3040 | Yes | Yes |
Wyse 5010 | Yes | – |
Wyse 5040 AIO | Yes | – |
Wyse 5060 | Yes | – |
Wyse 5070 | Yes | Yes |
Wyse 5070 Extended | Yes | Yes |
Wyse 5470 | Yes | Yes |
Wyse 5470 AIO | Yes | Yes |
Wyse 7010 | Yes | – |
Dell addressed the flaws with the release of ThinOS 9.x, the following models can no longer be upgraded:
Dell recommends using the secure protocol (HTTPS) and setting read-only access to the files on the servers.
If you want to receive the weekly Security Affairs newsletter subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Dell Wyse thin client)
[adrotate banner=”5″]
[adrotate banner=”13″]