A vulnerability has been discovered in a range of Dell Wyse Thin client devices – specifically Dell Wyse ThinOS 8.6 and prior operating systems. As discovered by healthcare cybersecurity provider CyberMDX, an attacker could remotely run malicious code and access arbitrary files on these affected Dell Wyse Thin Client devices. Dell has remediated this vulnerability and details can be found in the Dell Security Advisory (DSA-2020-281) today.
An AI/ML anomaly detection feature in the CyberMDX platform identified a common pattern of Wyse Thin Client devices periodically utilizing FTP (File Transfer Protocol) with no authentication. Upon further research by the research team, it was determined that FTP is used by Wyse thin clients to pull their configurations from a local server. The team further discovered that the server where the configurations are stored permits “read and write” access to its configuration files, enabling anyone within the network to read and alter them using FTP.
Wyse has been developing thin clients since the 1990s and was acquired by Dell in 2012. In the US alone, it is estimated that over 6000 companies and organizations are using Dell Wyse thin clients inside their network, with many of these being healthcare providers. The thin client devices are small form-factor computers optimized for performing a remote desktop connection to distant more resourceful hardware. The thin devices operate ThinOS which can be remotely maintained, and one of the most popular ways, as well as the default method, is via a local FTP server where devices pull new firmware, packages and configurations.
Both vulnerabilities were given CVSS scores of 10/10, reflecting the most critical severities. The first vulnerability, CVE-2020-29491 enables the user to access the configuration server and read configurations belonging to other clients. The configuration may include sensitive data including potential passwords and account information that could later be used to compromise the device. The second vulnerability, CVE-2020-29492, enables the user to access the server and directly alter configurations belonging to other thin clients. More information can be found here.
“One of the main issues is that security is often overlooked during the design phase of these devices,” said Elad Luz, Head of Research at CyberMDX. “The default installation of the server for the Thin Client devices FTP server is configured to have no credentials (“anonymous” user) and this enables anyone on the network to access the FTP server and modify the INI file holding configuration settings for the thin client devices. But even if credentials are enforced they would still have to be shared across the entire Thin Client fleet, which would enable any Thin Client to access and/or modify the configuration of all other Thin Clients within the network which is still an issue.”
“This is a great example of an ongoing interaction between the AI and the security research teams in CyberMDX, which enables a quick and precise response to anomalous events,” said Dr. Gil David Chief Scientist for Artificial Intelligence at CyberMDX. Our experienced AI team is constantly developing adapted self-learning algorithms that integrate the domain-expertise of our security research team. This enables accurate detection of security-related anomalies while reducing the false positives and the alerting of irrelevant anomalous events to a minimum.”
CyberMDX Research and its analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team dedicates its efforts to defending hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.