At the end of May, Duo Labs released a startling (to some) report on the sorry state of OEM software that is often bundled with new PCs. They identified numerous critical vulnerabilities within Dell, HP, and Lenovo devices, to name just a few.
Duo’s Darren Kemp broke it down in his blog post on the report:
Today, Duo Labs is publishing our take on the OOBE; Out-of-Box Exploitation: A Security Analysis of OEM Updaters. Shovelware, crapware, bloatware, “value added” - it goes by a lot of names - whatever you call it, most of it is junk (please, OEMs, make it stop). The worst part is that OEM software is making us vulnerable and invading our privacy. Issues like Superfish and eDellRoot make us less secure and are often easy to abuse in practice. With that in mind, Duo Labs decided to dig in to see how ugly things can get.
One of the major things we found was the presence of third-party update tools. Every OEM we looked at included one (or more) with their default configuration. We also noticed that Microsoft Signature Edition systems also often included OEM update tools, potentially making their distribution larger than other OEM software.
Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right?
Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy.
Here is a quick breakdown of basic features from some of the updaters we looked at:
To check out the full report, download it here (pdf).
If you want the tl;dr version, read Darren’s blog post here.