Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots.

Dell Wyse Thin Client Vulnerability

Vedere Labs Team (formerly CyberMDX) Discovers Vulnerability in Dell Wyse Thin Clients

Background

This page covers two vulnerabilities discovered by Vedere Labs (formerly CyberMDX) and published by Dell on the 21st of December 2020 as CVE-2020-29491 and CVE-2020-29492. The vulnerabilities affect Dell Wyse Thin client devices and once exploited allow attackers to, among other things, remotely run malicious code and access arbitrary files on affected devices.

The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical. This criticality is captured in the severity scores of both vulnerabilities – 10 / 10.

Affected are all Dell Wyse Thin Clients running ThinOS versions 8.6 and below:

Model Affected Versions
Wyse 3020 All versions up to ThinOS 8.6 (currently the latest)
Wyse 3030 LT All versions up to ThinOS 8.6 (currently the latest)
Wyse 3040 All versions up to ThinOS 8.6
Wyse 5010 All versions up to ThinOS 8.6 (currently the latest)
Wyse 5040 AIO All versions up to ThinOS 8.6 (currently the latest)
Wyse 5060 All versions up to ThinOS 8.6 (currently the latest)
Wyse 5070 All versions up to ThinOS 8.6
Wyse 5070 Extended All versions up to ThinOS 8.6
Wyse 5470 All versions up to ThinOS 8.6
Wyse 5470 AIO All versions up to ThinOS 8.6
Wyse 7010 All versions up to ThinOS 8.6 (currently the latest)

 

CVE-2020-29491

Risk Level: A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Date Reported: June, 2020
CISA Advisory date: December 21, 2020

 

CVE-2020-29492

Risk Level: A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Date Reported: June, 2020
CISA Advisory date: December 21, 2020

 

 

Vulnerability Details

Dell Wyse Thin Clients

Wyse has been developing thin clients since the 90s and was acquired by Dell in 2012. In the US only, it is estimated that around 6000 companies and organizations are making use of Dell Wyse thin client fleets inside their network, including many healthcare providers.

 

What are Thin Clients?

A small form-factor computer optimized for performing a remote desktop connection to a distant (and usually) more resourceful hardware. The software used by the thin client is minimal and directed towards making a seamless remote connection experience.

Thin clients introduce several advantages, including:

  • Eliminating the need to carry the high processing, storage and memory resources typically required by standard PCs or servers
  • Simplifying and centralizing maintenance
  • Reducing power consumption and lowering cost

 

Vulnerable Components

 

ThinOs remote maintenance

The affected Dell Wyse clients run an operating system named ThinOs. ThinOs can be remotely maintained, the default way is performed via a local FTP server where devices can pull new firmware, packages, and configurations. Although there are alternative ways for remotely maintaining these clients, we found this way to be quite popular and it is the method recommended by Dell.

The FTP server

Dell advises creating an FTP server using Microsoft IIS (no specific guidance), then giving access to firmware, packages, and INI files accessible through the FTP server. The FTP is configured to have no credentials (“anonymous” user). While the firmware and package files found on the FTP server are signed, the INI files used for configuration are not.

Additionally, there is a specific INI file on the FTP server that should be writable for the connecting clients (this is by design). Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices.

Moreover, even if credentials were set, they would be shared across a large fleet of clients, allowing them to alter each other’s INI configuration files.

{username}.ini file

When a Dell Wyse device connects to the FTP server it searches for an INI file in the form of “{username}.ini” where {username} is replaced with the username used by the terminal.

If this INI file exists, it loads the configuration from it. As noted, this file is writable, so it can be created and manipulated by an attacker to control the configuration received by a specific user.
 

Mitigations and Recommendations

Upgrade to ThinOS 9.x

Where possible (depending on model, see table below) upgrade your Thin Client firmware to ThinOS version 9.x which will remove the INI file management feature.

Model Compatibility
ThinOS Version 8.x ThinOS Version 9.x
Wyse 3020 Yes
Wyse 3030 LT Yes
Wyse 3040 Yes Yes
Wyse 5010 Yes
Wyse 5040 AIO Yes
Wyse 5060 Yes
Wyse 5070 Yes Yes
Wyse 5070 Extended Yes Yes
Wyse 5470 Yes Yes
Wyse 5470 AIO Yes Yes
Wyse 7010 Yes

If Your Device Cannot Be Upgraded to ThinOS 9.x

If your device cannot be upgraded to ThinOS 9.x, it is recommended you disable the use of FTP for obtaining the vulnerable files.

On the ThinOS client desktop

Navigate to System Setup > Central Configuration > General.

Remove any FTP settings present. Where remote management is required, please use other methods – https server or Wyse Management Suite. Information on configuring those can be found online on Dell’s website.

On your DHCP server

Dell Wyse uses DHCP option tags 161 and 162 to configure the ThinOS client, file server and path information. Make sure your DHCP server does not reconfigure those back to the FTP server on every DHCP interaction.
 

Possible Attack Scenarios

The INI files contain a long list of configurable parameters detailed on more than 100 pages by official Dell documentation.

Reading or altering those parameters opens the door to a variety of attack scenarios. Configuring and enabling VNC for full remote control, leaking remote desktop credentials, and manipulating DNS results are some of the scenarios to be aware of.


 

Credit

Elad Luz, Head of Research at CyberMDX, a Forescout Company
Professor Gil David, Chief Scientist of Artificial Intelligence at CyberMDX, a Forescout Company

Forescout Products

Get the capabilities you need to build a tailored security solution for your digital terrain
and continuously automate actions to reduce cyber risk.

eyeSight

Assess Your Risk: Finding Vulnerable Devices

eyeSight

eyeInspect

Identify Attacks: Detecting Ongoing Exploits

eyeInspect

eyeSegment

Protect Your Organization: Segmenting the Network

eyeSegment
Demo RequestForescout PlatformTop of Page