Dell Wyse Thin Client Vulnerability
Vedere Labs Team (formerly CyberMDX) Discovers Vulnerability in Dell Wyse Thin Clients
Background
This page covers two vulnerabilities discovered by Vedere Labs (formerly CyberMDX) and published by Dell on the 21st of December 2020 as CVE-2020-29491 and CVE-2020-29492. The vulnerabilities affect Dell Wyse Thin client devices and once exploited allow attackers to, among other things, remotely run malicious code and access arbitrary files on affected devices.
The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical. This criticality is captured in the severity scores of both vulnerabilities – 10 / 10.
Affected are all Dell Wyse Thin Clients running ThinOS versions 8.6 and below:
| Model | Affected Versions |
|---|---|
| Wyse 3020 | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 3030 LT | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 3040 | All versions up to ThinOS 8.6 |
| Wyse 5010 | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 5040 AIO | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 5060 | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 5070 | All versions up to ThinOS 8.6 |
| Wyse 5070 Extended | All versions up to ThinOS 8.6 |
| Wyse 5470 | All versions up to ThinOS 8.6 |
| Wyse 5470 AIO | All versions up to ThinOS 8.6 |
| Wyse 7010 | All versions up to ThinOS 8.6 (currently the latest) |
CVE-2020-29491
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | June, 2020 |
| CISA Advisory date: | December 21, 2020 |
CVE-2020-29492
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | June, 2020 |
| CISA Advisory date: | December 21, 2020 |
Vulnerability Details
Dell Wyse Thin Clients
Wyse has been developing thin clients since the 90s and was acquired by Dell in 2012. In the US only, it is estimated that around 6000 companies and organizations are making use of Dell Wyse thin client fleets inside their network, including many healthcare providers.
What are Thin Clients?
A small form-factor computer optimized for performing a remote desktop connection to a distant (and usually) more resourceful hardware. The software used by the thin client is minimal and directed towards making a seamless remote connection experience.
Thin clients introduce several advantages, including:
- Eliminating the need to carry the high processing, storage and memory resources typically required by standard PCs or servers
- Simplifying and centralizing maintenance
- Reducing power consumption and lowering cost
Vulnerable Components
ThinOs remote maintenance
The affected Dell Wyse clients run an operating system named ThinOs. ThinOs can be remotely maintained, the default way is performed via a local FTP server where devices can pull new firmware, packages, and configurations. Although there are alternative ways for remotely maintaining these clients, we found this way to be quite popular and it is the method recommended by Dell.
The FTP server
Dell advises creating an FTP server using Microsoft IIS (no specific guidance), then giving access to firmware, packages, and INI files accessible through the FTP server. The FTP is configured to have no credentials (“anonymous” user). While the firmware and package files found on the FTP server are signed, the INI files used for configuration are not.
Additionally, there is a specific INI file on the FTP server that should be writable for the connecting clients (this is by design). Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices.
Moreover, even if credentials were set, they would be shared across a large fleet of clients, allowing them to alter each other’s INI configuration files.
{username}.ini file
When a Dell Wyse device connects to the FTP server it searches for an INI file in the form of “{username}.ini” where {username} is replaced with the username used by the terminal.
If this INI file exists, it loads the configuration from it. As noted, this file is writable, so it can be created and manipulated by an attacker to control the configuration received by a specific user.
Mitigations and Recommendations
Upgrade to ThinOS 9.x
Where possible (depending on model, see table below) upgrade your Thin Client firmware to ThinOS version 9.x which will remove the INI file management feature.
| Model | Compatibility | |
|---|---|---|
| ThinOS Version 8.x | ThinOS Version 9.x | |
| Wyse 3020 | Yes | – |
| Wyse 3030 LT | Yes | – |
| Wyse 3040 | Yes | Yes |
| Wyse 5010 | Yes | – |
| Wyse 5040 AIO | Yes | – |
| Wyse 5060 | Yes | – |
| Wyse 5070 | Yes | Yes |
| Wyse 5070 Extended | Yes | Yes |
| Wyse 5470 | Yes | Yes |
| Wyse 5470 AIO | Yes | Yes |
| Wyse 7010 | Yes | – |
If Your Device Cannot Be Upgraded to ThinOS 9.x
If your device cannot be upgraded to ThinOS 9.x, it is recommended you disable the use of FTP for obtaining the vulnerable files.
On the ThinOS client desktop
Navigate to System Setup > Central Configuration > General.
Remove any FTP settings present. Where remote management is required, please use other methods – https server or Wyse Management Suite. Information on configuring those can be found online on Dell’s website.
On your DHCP server
Dell Wyse uses DHCP option tags 161 and 162 to configure the ThinOS client, file server and path information. Make sure your DHCP server does not reconfigure those back to the FTP server on every DHCP interaction.
Possible Attack Scenarios
The INI files contain a long list of configurable parameters detailed on more than 100 pages by official Dell documentation.
Reading or altering those parameters opens the door to a variety of attack scenarios. Configuring and enabling VNC for full remote control, leaking remote desktop credentials, and manipulating DNS results are some of the scenarios to be aware of.
Credit
Elad Luz, Head of Research at CyberMDX, a Forescout Company
Professor Gil David, Chief Scientist of Artificial Intelligence at CyberMDX, a Forescout Company
Forescout Products
Get the capabilities you need to build a tailored security solution for your digital terrain
and continuously automate actions to reduce cyber risk.