Several Dell Wyse thin client models are vulnerable to critical vulnerabilities which could be exploited by a remote attacker to run malicious code and attain access to arbitrary files.
Thin clients are small form-factor computers that are used for remote desktop connections to a more powerful system. They are mainly used in organizations that does not require computers with high processing, storage, and memory on the network.
It is estimated that over 6,000 organizations, especially from the healthcare sector, have deployed Dell Wyse thin clients on their networks.
The vulnerabilities dubbed as CVE-2020-29492 and CVE-2020-29491 resides in components of ThinOS, the operating system on Dell Wyse thin clients.
It is possible to maintain ThinOS remotely by setting up an FTP server for devices to download updates (firmware, packages, configurations).
According to the security researchers at CyberMDX, a company focusing on cybersecurity in the healthcare sector, the FTP access is possible with no credentials, using “anonymous” user.
They also found that only the firmware and packages are signed and so the INI configuration files can be used by a threat actor to do some damage.
Elad Luz head of research at CyberMDX, stated that there is also a specific INI file on the FTP server that should be writeable for the connecting clients.
As the credentials are not required, anybody on the network can access the FTP server and modify that INI file holding configuration for the thin client devices.
In the current design it is impossible to protect the FTP connection with credentials as the username and password would be shared across the entire fleet of thin clients.
When a Dell Wyse device connects to the FTP server, it looks for the INI file that holds its configuration, named after the username used in the terminal.
When this file is writeable, an attacker can insert a malicious version to control the configuration received by a specific user on the network.
By exploiting the vulnerabilities, the threat actors can read or modify parameters in the configuration file that would give them remote control over the thin device. Also, it is possible to leak credentials or manipulate DNS results by exploiting the two bugs.
CyberMDX states that these vulnerabilities affect the Dell Wyse models running ThinOS 8.6 and below which includes Wyse 3020, Wyse 3030 LT, Wyse 3040, Wyse 5010, Wyse 5040 AIO, Wyse 5060, Wyse 5070, Wyse 5070 Extended, Wyse 5470, Wyse 5470 AIO and Wyse 7010
The ThinOS 9.x has been released by Dell in order to address these issues. However, some of the affected models can no longer be upgraded which includes Wyse 3020, Wyse 3030 LT, Wyse 5010, Wyse 5040 AIO, Wyse 5060 and Wyse 7010.
Those organizations having the models above deployed on their networks must disable the use of FTP for the update procedure and rely on an alternative method for the task.
Dell recommends on its security advisory to secure the environment by using a secure protocol (HTTPS) and ensure that the file servers have read-only access.
Also, the affected customers can use Wyse Management Suite for imaging and device configuration, which enforces the use of HTTPS and stores the configuration files in a secure server database.