CVE-2021-21518
📋 TL;DR
This CVE describes a DLL injection vulnerability in Dell SupportAssist software that allows local low-privileged users to execute arbitrary code with SYSTEM privileges. The vulnerability exists in the Costura Fody plugin used by multiple Dell SupportAssist versions. Affected systems include Dell consumer PCs, business PCs, and ProManage installations running vulnerable versions.
💻 Affected Systems
- Dell SupportAssist Client for Consumer PCs
- Dell SupportAssist Client for Business PCs
- Dell SupportAssist Client ProManage
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement within the network.
Likely Case
Local user escalates privileges to SYSTEM, installs malware, steals credentials, or establishes persistence on the compromised system.
If Mitigated
With proper access controls and monitoring, impact limited to isolated system compromise with quick detection and containment.
🎯 Exploit Status
Requires local access with low privileges. DLL injection vulnerabilities are typically straightforward to exploit once the technique is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version as specified in Dell advisory DSA-2021-052
Restart Required: Yes
Instructions:
1. Open Dell SupportAssist application. 2. Check for updates in settings. 3. Install available updates. 4. Alternatively, download latest version from Dell support website. 5. Restart system after installation.
🔧 Temporary Workarounds
Uninstall SupportAssist
windowsRemove vulnerable software entirely if not required
Control Panel > Programs > Uninstall a program > Select Dell SupportAssist > Uninstall
Restrict local user privileges
windowsImplement least privilege access controls to limit potential attackers
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized DLL execution
- Monitor for suspicious process creation and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Dell SupportAssist version in Control Panel > Programs > Programs and Features. If version matches affected ranges, system is vulnerable.Check Version:
wmic product where "name like 'Dell SupportAssist%'" get versionVerify Fix Applied:
Verify version is updated beyond affected ranges and check that no known vulnerable DLLs are present in SupportAssist directories.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution with SYSTEM privileges
- DLL loading from unusual locations by SupportAssist processes
- Failed DLL injection attempts in application logs
Network Indicators:
- Unusual outbound connections from SYSTEM-level processes
- Beaconing behavior from newly created SYSTEM processes
SIEM Query:
Process Creation where Parent Process Name contains 'SupportAssist' AND Integrity Level = 'System'🔗 References
- https://www.dell.com/support/kbdoc/en-us/000184012/dsa-2021-052-dell-supportassist-for-home-pcs-business-pcs-security-update-for-pc-doctor-plugin-vulnerability
- https://www.dell.com/support/kbdoc/en-us/000184012/dsa-2021-052-dell-supportassist-for-home-pcs-business-pcs-security-update-for-pc-doctor-plugin-vulnerability
