On Monday, Dell told customers that patches released for some of its Wyse Thin Client devices are patching a few crucial bugs that can be remotely abused without compromised system authentication.
Researchers at CyberMDX, a firm specializing in healthcare protection, have identified the bugs, and they can be leveraged to manipulate arbitrary files on affected computers and run malicious code.
Dell Wyse Thin Client is a small form-factor PC series running an operating system called ThinOS, which is marketed by Dell as “the most secure thin client operating system.” According to CyberMDX, in the U.S. alone, there are more than 6,000 companies using these devices, including several healthcare providers.
Researchers from CyberMDX have found that the local FTP server used by Wyse Thin Client devices to receive new firmware, packages, and configurations is accessible without passwords by default, allowing access to it by everyone on the network.
An intruder may access an INI file stored on this server that contains thin client interface configuration data and makes changes to that file.
“CyberMDX explained in its advisory: “The INI files contain a long list of configurable parameters detailed in more than 100 pages of official Dell documents. Reading or changing certain criteria opens the door to a number of possibilities of attack. Some of the situations to be conscious of include configuring and activating VNC for full remote control, leaking remote desktop credentials, and modifying DNS performance.
Due to two vulnerabilities, attacks are possible: CVE-2020-29491, which enables an unauthenticated attacker to access the configuration file, and CVE-2020-29492, which allows them to alter the file.
Dell told customers that Wyse 3040, 5010, 5040, 5060, 5070, 5470 and 7010 thin client devices running ThinOS 8.6 and earlier were affected by the vulnerabilities. With the introduction of version 8.6 MR8 of ThinOS, the bugs have been corrected.
A serious flaw involving over 100 medical devices manufactured by GE Healthcare was revealed by CyberMDX earlier this month. To view or change health records, the bug may be abused.