CVE-2022-29094
📋 TL;DR
This vulnerability allows authenticated non-admin users to delete or overwrite arbitrary files on systems running vulnerable versions of Dell SupportAssist. It affects both consumer and commercial versions of the software, potentially leading to system instability or privilege escalation.
💻 Affected Systems
- Dell SupportAssist for Home PCs
- Dell SupportAssist for Business PCs
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete critical system files causing OS corruption, overwrite configuration files to gain persistence, or delete security software to disable protections.
Likely Case
Malicious insiders or compromised user accounts could delete user data, overwrite configuration files, or disrupt system operations.
If Mitigated
With proper access controls and monitoring, impact is limited to file deletion/overwrite within the compromised user's context.
🎯 Exploit Status
Requires authenticated user access but no admin privileges. Exploitation likely involves simple file manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consumer: 3.10.5 or later, Commercial: 3.1.2 or later
Restart Required: Yes
Instructions:
1. Open Dell SupportAssist. 2. Check for updates in settings. 3. Install available updates. 4. Restart system. Alternatively, download from Dell Support website.
🔧 Temporary Workarounds
Uninstall SupportAssist
windowsRemove vulnerable software entirely if not needed
Control Panel > Programs > Uninstall a program > Select Dell SupportAssist > Uninstall
Restrict User Permissions
windowsLimit non-admin user access to systems with SupportAssist
🧯 If You Can't Patch
- Monitor file deletion events in Windows Event Logs for suspicious activity
- Implement strict access controls to limit which users can access systems with vulnerable SupportAssist
🔍 How to Verify
Check if Vulnerable:
Check SupportAssist version: Open SupportAssist > Settings > About. Compare version against affected ranges.Check Version:
wmic product where "name like 'Dell SupportAssist%'" get versionVerify Fix Applied:
Verify version is Consumer 3.10.5+ or Commercial 3.1.2+. Test file operations from non-admin account.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4663 (File deletion) from non-admin users targeting system files
- Application logs showing SupportAssist file operations
Network Indicators:
- No network indicators - local exploitation only
SIEM Query:
EventID=4663 AND SubjectUserName NOT IN (admin_users) AND ObjectName LIKE '%system32%' OR '%program files%'🔗 References
- https://www.dell.com/support/kbdoc/en-us/000200456/dsa-2022-139-dell-supportassist-for-home-pcs-and-business-pcs-security-update-for-multiple-security-vulnerabilities
- https://www.dell.com/support/kbdoc/en-us/000200456/dsa-2022-139-dell-supportassist-for-home-pcs-and-business-pcs-security-update-for-multiple-security-vulnerabilities
