Dell SupportAssist Flaw Allows Local Privileged Execution of Arbitrary Code

On February 10th, Dell released DSA-2020-005: Dell SupportAssist Client Uncontrolled Search Path Vulnerability, an advisory highlighting a high severity (CVSS 7.8) flaw in Dell SupportAssist for business and home PCs. Dell SupportAssist is a troubleshooting program that comes pre-installed on nearly all of Dells newer devices running Windows OS. 

CVE-2020-5316 is an uncontrolled search path vulnerability in SupportAssist that could allow a locally authenticated, low privileged user to cause the “loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code.”

This is not the only flaw in SupportAssist reported in the last year. In June 2019, Dell released an advisory for CVE-2019-12280, affecting a SupportAssist third-party component maintained by PC Doctor, which is very similar to the current vulnerability.

The following versions of SupportAssist are considered vulnerable.

Dell SupportAssist Home versions 3.4 or older

Dell SupportAssist Business versions 2.1.3 or older

If automatic updates are enabled, all versions of SupportAssist should automatically update to the latest secure versions, SupportAssist Business version 2.1.4 and SupportAssist Home version 3.4.1. If automatic updates are not enabled, it can be updated manually from within the SupportAssist settings.