Dell SupportAssist software prior to 126.96.36.199 contains two critical remote code execution vulnerabilities.
Dell has just released a new version of their SupportAssist software which comes pre-installed on most systems to correct CVE-2019-3719. A 17 year old security researcher discovered a weakness in the way the Dell software validated the identity of the dell.com website. This made it possible for an attacker to impersonate the dell.com site and issue instructions to the SupportAssist software to download and install arbitrary code supplier by the attacker.
Also fixed is CVE-2019-3718 which could allow an unauthenticated remote attacker to attempt CSRF attacks on users of the impacted systems.
System Managers with an estate of Dell systems are advised to ensure that all have updated the SupportAssist software as a matter of urgency. If the Dell software is not used to manage patching because another tool is used, then Systems Administrators should consider removing the unused software to reduce the attack surface of their network.
We recently published an article with advice on how to manage security patching on a large network.