Dell System Detect update vulnerability exposed

Dell System Detect doesn't auto-update automatically, leaving millions of systems vulnerable as a result, according to security software firm F-Secure.

Even though Dell disputes the problem with its application which interacts with the Dell Support website, F-Secure's claim is based on real figures regarding queries about older versions of Dell's support software.

The data suggest anything up to 99 per cent of Dell customers are running older versions of the software that are easily hackable.

F-Secure assisted El Reg with a recent story about a patched remote code execution vulnerability in the Dell Service Tag Detector app (AKA Dell System Detect software).

Our query prompted the Finnish firm to look more closely at the "huge numbers of old installs that we see within our customer base" running Dell System Detect software.

"We watched various versions bring reported to our backend," said Sean Sullivan, a security advisor at F-Secure. "We assumed the old versions would auto-update. But they haven't done so on our test machines."

"In the last two weeks, we've received reputation check requests, on old versions of the software, from customers more than one hundred thousand times. Looking further back, it's a much larger number," he added.

The "Dell System Detect" program is used to auto fill the service tag input and show you the relevant drivers for your machine. Current versions of the software are secure but many users are still running older, insecure versions of the software.

"We're quite concerned with the number of old auto-starting installs left in the wild," Sullivan concluded. "Based on the numbers from our customer base, there must be millions of installs still at risk."

Only about one per cent of F-Secure's customers are now running the latest version of Dell System Detect (version 6.0.14). A blog post by F-Secure on the issue warns that older versions of the software are trivial to exploit.

Older versions of System Detect create a run key in the registry that starts the service automatically.

So vulnerable versions run persistently even though it's only needed when visiting Dell's support site. The latest version — 6.0.14 — doesn't create a run key.

Exploiting older versions of System Detect is very easy. It only requires that the target visits a URL with some variation of "dell" in its domain.

Exactly where in the URL varies depending on the version of the software.

In response to queries from El Reg on the issue, Dell denied there's a problem with either its technology or the update mechanism it uses:

The security of our systems and customer information is a top priority for Dell.

Dell continuously monitors the security landscape of our product ecosystems for reported vulnerabilities and reviews claims against our products.

The issue related to Dell System Detect (DSD) was raised last year and has since been remediated.

As an added layer of security, when customers access DSD to update their systems, an auto update will occur to ensure potential vulnerabilities are addressed, and a test link is available on the eSupport website so customers can validate that they are using the latest version of DSD.

Sullivan remains concerned: "The problem with this 'auto update' is that it relies on the customer *manually* visiting dell.com and running DSD. That’s what triggers the update."

F-Secure agrees with Dell that the current version of DSD is "remediated" regarding web-based attacks. The problem comes from the numerous earlier versions of Dell System Detect that it warns are wide open to attack.

"The web-based threat is easy to take advantage of and offers a way to exploit systems without Java or Flash," Sullivan told El Reg. "So, somebody with DSD using Chrome would be at risk – Chrome sandboxes Java/Flash – but this DSD vulnerability only requires an old DSD installed." ®