Cybersecurity experts report that a dozen Dell Wyse models customer could be exposed to critical vulnerabilities. These flaws could be exploited by remote threat actors to execute malicious code and gain access to arbitrary files.

These “thin clients” are form factor computers used for remote desktop connections targeting higher-powered systems. These deployments are very popular among organizations that do not require computers with a high level of processing, storage, or memory. Recent figures indicate that at least 60,000 health organizations have implemented Dell Wyse thin clients in recent years.

Tracked as CVE-2020-29492 and CVE-2020-29491, these flaws reside in ThinOS components, the operating system installed in these solutions. This OS can be operated remotely, for which Dell recommends configuring an FTP server for devices to download the corresponding updates. A group of experts reported that FTP access is possible without user credentials, using an “anonymous” account.

In their report experts also mentioned that only firmware and packages are signed, leaving INI configuration files as a vector that threat actors can leverage for subsequent attacks.

In addition, the researchers claim that implementing FTP protection with user credentials would not be enough to mitigate this risk, as the username and password would be shared with all available thin clients: “When a Dell Wyse device connects to the FTP server, the INI file containing its configuration is searched; threat actors could plant a malicious version of this file to control the settings received by a specific user on the network.”

Security flaws affect the following Dell Wyse models running ThinOS version 8.6 and earlier:

In response to the report, Dell released ThinOS version 9.0, available for the following Dell Wyse models:

  • Wyse 3020
  • Wyse 3030 LT
  • Wyse 5010
  • Wyse 5040 AIO
  • Wyse 5060
  • Wyse 7010

Users of vulnerable deployments are encouraged to update as soon as possible to fully mitigate any risk of exploitation.