PC Maker Update Tools Vulnerable
Thursday, June 2, 2016 @ 05:06 PM gHale
Software updaters shipped by several major PC makers, including Acer, Asus, Dell, HP and Lenovo have vulnerabilities that could lead to remote attacks, researchers said.
Duo Security researchers analyzed these updaters as shipped with Flex 3 and G50-80 devices from Lenovo, Envy and Stream (x360) from HP, Acer Aspire, Inspiron 15 and 15-5548 from Dell, and TP200S from Asus.
Researchers found some local privilege escalation vulnerabilities, however, they focused on remote attacks that can end up launched by man-in-the-middle (MitM) attackers.
Researchers reported each of the tested updaters suffers from at least one flaw that can easily end up exploited to achieve remote code execution with SYSTEM permissions, which can lead to a complete compromise of the vulnerable device.
The most common problems related to the use of Transport Layer Security (TLS), update integrity validation, and verification of the update manifest’s authenticity.
Researchers also found in some cases the applications performed silent updates, which could make it easy for attackers to push malware without raising any suspicion. While some vendors used encryption to protect configuration files and registry data, Duo Security was able to reverse engineer the obfuscation attempts.
One of the most common issues found by researchers was the lack of TLS. All of Dell’s update tools and Lenovo’s Solution Center leverage HTTPS to transmit manifests, the files used to inform the system of a new package or software update. However, Lenovo’s UpdateAgent and products from Acer, Asus and HP use HTTP.
Lenovo Solution Center is the only application that uses signed manifests. The lack of TLS and integrity validation allows MitM attackers to modify the manifest to prevent users from getting important updates, or they can leverage malicious manifest files to install malware.
For Acer Care Center, Asus Live Update and Lenovo UpdateAgent, an attacker can replace legitimate update files with malicious ones because none of these tools use TLS to transmit updates.
Microsoft’s Authenticode allows developers to sign executable files and software packages, but Acer Care Center, Asus Live Update and Lenovo UpdateAgent don’t perform such validation.
Overall, Lenovo’s Solution Center is the most secure, the researchers said, but the company’s UpdateAgent failed all tests, along with products from Acer and Asus.