Two critical vulnerabilities have been discovered in Dell’s Wyse thin clients that could be exploited remotely by an attacker to run malicious code and gain access to arbitrary files.
As small form factor PCs have grown more powerful in recent years, many organizations and especially those in the healthcare industry have turned to thin clients for their computing needs as they take up far less space than a traditional desktop PC. Dell Wyse thin clients are a popular choice among businesses and it’s estimated that over 6,000 organizations have deployed them on their networks.
Dell ships its own operating system called ThinOS with its Wyse devices and the two critical vulnerabilities, tracked as CVE-2020-29492 and CVE-2020-29491, reside in its OS. ThinOS can also be maintained remotely and the Austin-based company recommends that users set up an FTP server for its Wyse devices to download updates including firmware, packages and configurations.
However, security researchers at the cybersecurity firm CyberMDX, which focuses on the healthcare sector, found that accessing almost a dozen Dell Wyse thin clients via FTP was possible with no credentials by using an anonymous user profile. They also discovered that only the firmware and packages are signed which means an attacker could use the INI configuration files to target vulnerable machines.
ThinOS vulnerabilities
Head of research at CyberMDX, Elad Luz provided further insight in a blog post on how the lack of credentials can leave Dell Wyse thin clients vulnerable to attacks, saying:
“Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices. Moreover, even if credentials were set, they would be shared across a large fleet of clients, allowing them to alter each other’s INI configuration files.”
According to CyberMDX, only Wyze models 3020, 3030 LT, 3040, 5010, 5040 AIO, 5060, 5070, 5070 Extended, 5470, 5470 AIO and 7010 running ThinOS 8.6 and below are affected. While Dell has released ThinOS9 to address the two critical vulnerabilities, unfortunately Wyze models 3020, 3030 LT, 5010, 5040 AIO, 5060 and 7010 can no longer be updated.
If your organization is using a model that can’t be updated, CyberMDX recommends disabling the use of FTP for updates and relying on an alternative method instead. Meanwhile Dell has released a security advisory that recommends organizations use a secure protocol and ensure their file servers have read-only access in order to secure their devices.
Via BleepingComputer