CVE-2021-36286 in SupportAssist Client Consumerinfo

Summary

by MITRE • 09/29/2021

Dell SupportAssist Client Consumer versions 3.9.13.0 and any versions prior to 3.9.13.0 contain an arbitrary file deletion vulnerability that can be exploited by using the Windows feature of NTFS called Symbolic links. Symbolic links can be created by any(non-privileged) user under some object directories, but by themselves are not sufficient to successfully escalate privileges. However, combining them with a different object, such as the NTFS junction point allows for the exploitation. Support assist clean files functionality do not distinguish junction points from the physical folder and proceeds to clean the target of the junction that allows nonprivileged users to create junction points and delete arbitrary files on the system which can be accessed only by the admin.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/03/2021

The vulnerability identified as CVE-2021-36286 resides within Dell SupportAssist Client Consumer versions 3.9.13.0 and earlier, representing a critical arbitrary file deletion flaw that exploits Windows NTFS symbolic link functionality. This vulnerability stems from the improper handling of file system objects during the cleanup process implemented by SupportAssist, creating a path for privilege escalation through malicious manipulation of NTFS junction points and symbolic links. The flaw specifically manifests when the software's file cleaning functionality fails to properly distinguish between junction points and actual directories, allowing attackers to redirect deletion operations to arbitrary system locations.

The technical exploitation mechanism leverages the Windows NTFS file system's capability to create symbolic links and junction points, which can be generated by non-privileged users under certain directory contexts. While symbolic links alone do not provide sufficient privilege escalation capabilities, they become dangerous when combined with junction points to create a chain of redirection. The vulnerability specifically targets the SupportAssist client's clean files functionality, which processes file deletion operations without adequate validation of the target object types. This allows attackers to create junction points that point to protected system directories, then trigger the cleanup function to delete files in those protected locations.

The operational impact of this vulnerability extends beyond simple file deletion, as it enables non-privileged users to gain unauthorized access to system resources that should normally be restricted to administrators. The exploitation chain begins with a non-privileged user creating a junction point that references a system directory accessible only by administrators. When SupportAssist's cleanup process executes, it processes the junction point as if it were a regular directory, proceeding to delete files within the target directory that the attacker cannot normally access. This creates a privilege escalation vector that allows attackers to remove critical system files, potentially leading to system instability, data loss, or further compromise of the affected system.

Security researchers have classified this vulnerability under CWE-22, which addresses Improper Limitation of a Pathname to a Restricted Directory, and it aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as exploitation requires manipulation of system file paths and potentially command execution. The vulnerability's severity is amplified by its accessibility to unprivileged users, making it particularly dangerous in enterprise environments where multiple users may have access to the affected software. Organizations running affected Dell SupportAssist versions face potential risks including unauthorized system modifications, data integrity compromise, and possible escalation to full system control. The remediation approach requires updating to Dell SupportAssist version 3.9.13.0 or later, which implements proper validation of file system objects during cleanup operations and prevents the processing of junction points as regular directories.

This vulnerability demonstrates the importance of proper input validation and object type checking in system utilities, particularly those with elevated privileges or system-level operations. The flaw highlights how seemingly benign features like file cleanup can become dangerous when combined with insufficient validation of file system objects. Organizations should implement comprehensive patch management procedures to address this vulnerability promptly, as the window of opportunity for exploitation exists from the initial release of the affected software version through the deployment of the patched version. The security community has noted that similar vulnerabilities may exist in other software that processes file system operations without proper validation of symbolic links and junction points, emphasizing the need for broader security reviews of system utilities and administrative tools.

Responsible

Dell

Reservation

07/08/2021

Disclosure

09/29/2021

Moderation

accepted

CPE

ready

EPSS

0.00251

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!