Looks like Dell is on a roll, and not the good kind. After the company's recent Superfishy root CA problem, security researchers are now finding holes in Dell's Foundation Services support software. According to the company, this software "provides a core set of foundational services facilitating customer serviceability, messaging, and support functions."
Last week, the LizardHQ security research team disclosed a vulnerability in Foundation Services version 2.3.3800.0A00, which allowed a remote attacker to determine a device's Service Tag. That tag could then be used for social engineering purposes or possibly to track a user. Dell updated the software to version 3.0.700.0A00 in response, and it seems to have made the problem worse.
A recently-issued LizardHQ advisory details a new vulnerability in Foundation Services that lets a remote attacker pass any query to the target system's Windows Management Instrumentation service (WMI). This allows a miscreant to know pretty much everything there is to know about a vulnerable system, given that WMI enumerates all of its host machine's hardware and software characteristics. For example, an attacker can have lots of fun just playing with WMI's disk and file system listing functionality.
According to Dell's website, the Foundation Services software is preinstalled on a substantial number of devices, including models in the XPS, Optiplex, and Precision lineups. Until a patch is issued, it's reasonable to assume all machines carrying the software are vulnerable. LizardHQ offers no suggestions for users to protect themselves other than uninstalling Foundation Services.
|Alphacool shows off Eisbrecher radiator and GPX waterblocks||1|
|Rumor: More GTX 1050 Ti and 1080 Ti details pop up||27|
|Cooler Master's MasterBox 5 and Zalman's Z9 Neo cases reviewed||7|
|Deals of the week: cheap mobos and a GTX 950||3|
|Thermaltake revs up Engine 27 low-profile CPU cooler||15|
|Logitech C922 Pro Stream webcam dispenses with green screens||17|
|MSI 100-series BIOS updates show Kaby Lake drops into LGA 1151||14|
|Razer revamps Kraken headsets with big drivers and metal bodies||10|
|Corsair Vengeance LED RAM family now sings the blues||6|