Numerous Dell Wyse Thin Devices Affected by a Couple of Critical Flaws with a CVSS 10 Score

Security researchers identified a couple of critical flaws with a CVSS score of 10 in the Dell Wyse Thin Client, affecting thousands of devices from all over the world. Dell already issued a solution to correct the problems.

Vulnerabilities with a score of 10 are extremely dangerous. The ranking usually means that attackers can compromise systems remotely, without the need for user interaction, while remaining completely invisible.

“This page covers two vulnerabilities discovered by CyberMDX and published by Dell on the 21st of December 2020 as CVE-2020-29491 and CVE-2020-29492,” said the researchers. “The vulnerabilities affect Dell Wyse Thin client devices and once exploited, allow attackers to, among other things, remotely run malicious code and access arbitrary files on affected devices.”

The vulnerabilities are only possible because of Dell’s glaring omission, which allowed users to perform system maintenance through an FTP server that can pull new firmware, packages and configurations.

“The FTP is configured to have no credentials (‘anonymous’ user). While the firmware and package files found on the FTP server are signed, the INI files used for configuration are not,” the CyberMDX researchers explained. This omission meant that anyone on the network could access the FTP server and modify that INI file holding the thin client devices’ configuration.

There are two ways to fix this problem. It’s an issue with all ThinOS versions up to 8.6 (Wyse 3020, Wyse 3030 LT, Wyse 3040, Wyse 5010, Wyse 5040 AIO, Wyse 5060, Wyse 5070, Wyse 5070 Extended, Wyse 5470, Wyse 5470 AIO and Wyse 5470 AIO), so upgrading to the latest 9.x would solve the problem since the INI file management feature is gone in the version.

If the upgrade is not possible, the only other solution would be to disable the FTP protocol for obtaining vulnerable files.