CVE-2021-36286
📋 TL;DR
Dell SupportAssist Client Consumer versions prior to 3.9.13.0 contain an arbitrary file deletion vulnerability. Attackers can exploit NTFS symbolic links and junction points to delete arbitrary files on Windows systems, potentially disrupting system functionality. This affects all users running vulnerable versions of Dell SupportAssist on Windows.
💻 Affected Systems
- Dell SupportAssist Client Consumer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to OS corruption, data loss, or denial of service requiring system reinstallation.
Likely Case
Targeted deletion of user files, application data, or configuration files causing application failures, data loss, or system instability.
If Mitigated
Limited impact to non-critical files if proper access controls and monitoring are in place, with potential for detection before significant damage.
🎯 Exploit Status
Exploitation requires local user access but no administrative privileges. The technique combining NTFS symbolic links and junction points is well-documented and relatively simple to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.13.0 and later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000191057/dsa-2021-163-dell-supportassist-client-consumer-security-update-for-two-vulnerabilities
Restart Required: Yes
Instructions:
1. Open Dell SupportAssist. 2. Check for updates in settings. 3. Download and install version 3.9.13.0 or later. 4. Restart the system. Alternatively, download directly from Dell's support website.
🔧 Temporary Workarounds
Disable Dell SupportAssist
windowsTemporarily disable the vulnerable application until patching is possible
sc stop "Dell SupportAssist Agent"
sc config "Dell SupportAssist Agent" start= disabled
Remove vulnerable version
windowsUninstall the vulnerable version of Dell SupportAssist
appwiz.cpl
Select 'Dell SupportAssist' and click Uninstall
🧯 If You Can't Patch
- Restrict local user access to systems with vulnerable versions installed
- Implement strict file system auditing and monitoring for unauthorized file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check Dell SupportAssist version in Control Panel > Programs and Features. If version is earlier than 3.9.13.0, the system is vulnerable.Check Version:
wmic product where "name like 'Dell SupportAssist%'" get versionVerify Fix Applied:
Verify Dell SupportAssist version is 3.9.13.0 or later in Control Panel > Programs and Features.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event Logs showing file deletion events from Dell SupportAssist process
- Application logs showing Dell SupportAssist clean file operations
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4663 AND ProcessName="*SupportAssist*" AND AccessMask="0x10000" (Delete)