A team of researchers today unveiled two critical security vulnerabilities in Dell Wyse Thin clients that could have potentially allowed attackers to remotely execute malicious code and access arbitrary files on affected devices.
The flaws, which were uncovered by healthcare cybersecurity provider CyberMDX and reported to Dell in June 2020, affects all devices running ThinOS versions 8.6 and below.
Dell has addressed both the vulnerabilities in an update released today. The flaws also have a CVSS score of 10 out of 10, making them critical in severity.
Thin clients are typically computers that run from resources stored on a central server instead of a localized hard drive. They work by establishing a remote connection to the server, which takes care of launching and running applications and storing relevant data.
Tracked as CVE-2020-29491 and CVE-2020-29492, the security shortcomings in Wyse’s thin clients stem from the fact that the FTP sessions used to pull firmware updates and configurations from a local server are unprotected sans any authentication (“anonymous”), thus making it possible for an attacker in the same network to read and alter their configurations.
images from Hacker News