CyberMDX, a healthcare information security provider, has discovered two critical vulnerabilities in Dell’s Wyse thin clients. Both flaws could allow attackers to execute malicious code remotely, resulting in them accessing files on the affected devices. CyberMDX reported these flaws to Dell in June 2020, which applies to all devices running ThinOS versions 8.6 and below.
Dell released ThinOS 9 on December 21, 2020, which addresses both of these vulnerabilities on December 21, 2020. Both flaws have a Common Vulnerability Scoring System (CVSS) rating of 10, which is the most critical CVSS rating.
The high severity of these flaws is due in part to the fact that they affect thin clients, which are generally computers that use the resources of a central server rather than a local hard drive. Once a thin client establishes a remote connection with a server, that server is then responsible for performing tasks such as running applications and storing data. An attacker can thus use a thin client to gain access to a server and other clients that the server hosts.
Both vulnerabilities deal with an insecure default configuration that an unauthenticated user could exploit remotely. The FTP sessions that the affected versions of ThinOS use to apply and configure firmware updates from a local server don’t require authentication, making it possible for an attacker to alter those configuration files. These files may contain sensitive data such as passwords and other account information, which an attacker could use to compromise the device.
The tracking numbers for the vulnerabilities are CVE-2020-29491 and CVE-2020-29492. CVE-2020-29491 could allow an attacker to access the server and read configuration, or INI, files belonging to other clients. CVE-2020-29492 could allow an attacker to modify the configuration of target-specific stations. Possible attack scenarios for these vulnerabilities include manipulating Domain Name System (DNS) results, leaking remote desktop credentials and enabling Virtual Network Computing (VNC) to obtain full remote control.
Dell recommends that users take corrective action on these issues as quickly as possible, given the relative ease of exploiting them. A number of solutions are available, depending on the user’s specific IT environment.
The preferred option is to deploy Dell Wyse Management Suite with ThinOS 9. Customers with eligible Wyse clients can upgrade their operating system (OS) to ThinOS and deploy Wyse Management Suite free of charge. ThinOS 9 doesn’t support file server configuration because it removes the INI file management feature, which prevents attackers from exploiting CVE-2020-29491 or CVE-2020-29492.
For some environments, removing INI file management may not be feasible. In these cases, the user should disable FTP for fetching the vulnerable files and use a more secure method to perform this task. One option for securing the file server environment of ThinOS 8.6 and below is to update the file servers to use HTTPS instead HTTP or FTP. This solution also requires users to set their file servers to read-only access.
Another workaround for users who don’t want to upgrade to ThinOS 9 is to deploy Wyse Management Suite by itself. They can then use Wyse Management Suite to perform device configuration and imaging tasks instead of a file server. This software enforces HTTPS protocol, as it stores configuration data in a secure server database rather than configuration files that an attacker can easily edit.