Researchers reported Monday that they found two vulnerabilities in Dell Wyse thin client devices that were given scores of 10 under the Common Vulnerability Scoring System – the highest severity rating.
Health care cybersecurity provider CyberMDX, which posted the findings in a blog, said attackers could potentially run malicious code and access arbitrary files on the affected machines.
The thin clients run over Dell Wyse ThinOS 8.6 and prior operating systems. Wyse has been developing thin clients since the 1990s and was acquired by Dell in 2012. In the U.S. alone, some 6,000 companies and organizations run Dell Wyse thin clients inside their networks, many of which are health care providers.
Dell has remediated the vulnerabilities and posted details in a Dell Security Advisory (DSA-2020-281).
According to CyberMDX, both vulnerabilities were given CVSS scores of 10. The first vulnerability, CVE-2020-29491, lets users access the configuration server and read configurations belonging to other clients. The configuration may include sensitive data, including potential passwords and account information that could later be used to compromise the device. The second vulnerability, CVE-2020-29492, lets users access the server and directly alter configurations belonging to other thin clients.
The thin client devices are small form-factor computers optimized for performing a remote desktop connection to distant more resourceful hardware, most notably via a local FTP server where devices pull new firmware, packages, and configurations.
“One of the main issues is that security often gets overlooked during the design phase of these devices," said Elad Luz, head of research at CyberMDX. “The default installation of the server for the thin client devices FTP server is configured to have no credentials and this enables anyone on the network to access the FTP server and modify the INI file holding configuration settings for the thin client devices. But even if credentials are enforced they would still have to be shared across the entire thin client fleet, which would let any thin client access and/or modify the configuration of all other thin clients within the network.”
Craig Young, principal security researcher for Tripwire’s vulnerability and exposure research team, said the model of devices pulling configurations from a shared anonymous FTP server with world-writable configuration files was something that “wouldn’t seem out of place” 20-30 years ago. He noted that the idea that any number of health care providers still operate their networks like this should raise more than a few eyebrows.
“Problems with authentication and authorization plague a lot of embedded devices and it seems that vendors are badly in need of solid guidelines regarding what works and what doesn’t,” Young said.