This page covers two vulnerabilities discovered by CyberMDX and published by Dell on the 21st of December 2020 as CVE-2020-29491 and CVE-2020-29492. The vulnerabilities affect Dell Wyse Thin client devices and once exploited allow attackers to, among other things, remotely run malicious code and access arbitrary files on affected devices.
The profound potential impact of these vulnerabilities coupled with the relative ease of exploitation is what makes them so critical. This criticality is captured in the severity scores of both vulnerabilities - 10 / 10.
Affected are all Dell Wyse Thin Clients running ThinOS versions 8.6 and below:
| Model | Affected Versions |
| Wyse 3020 | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 3030 LT | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 3040 | All versions up to ThinOS 8.6 |
| Wyse 5010 | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 5040 AIO | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 5060 | All versions up to ThinOS 8.6 (currently the latest) |
| Wyse 5070 | All versions up to ThinOS 8.6 |
| Wyse 5070 Extended | All versions up to ThinOS 8.6 |
| Wyse 5470 | All versions up to ThinOS 8.6 |
| Wyse 5470 AIO | All versions up to ThinOS 8.6 |
| Wyse 7010 | All versions up to ThinOS 8.6 (currently the latest) |
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | June, 2020 |
| CISA Advisory date: | December 21, 2020 |
| Risk Level: | A maximum severity score of 10.0 has been assigned to this vulnerability. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Date Reported: | June, 2020 |
| CISA Advisory date: | December 21, 2020 |
Wyse has been developing thin clients since the 90s and was acquired by Dell in 2012. In the US only, it is estimated that around 6000 companies and organizations are making use of Dell Wyse thin client fleets inside their network, including many healthcare providers.
A small form-factor computer optimized for performing a remote desktop connection to a distant (and usually) more resourceful hardware. The software used by the thin client is minimal and directed towards making a seamless remote connection experience.
Thin clients introduce several advantages, including:
The affected Dell Wyse clients run an operating system named ThinOs. ThinOs can be remotely maintained, the default way is performed via a local FTP server where devices can pull new firmware, packages, and configurations. Although there are alternative ways for remotely maintaining these clients, we found this way to be quite popular and it is the method recommended by Dell.
Dell advises creating an FTP server using Microsoft IIS (no specific guidance), then giving access to firmware, packages, and INI files accessible through the FTP server. The FTP is configured to have no credentials (“anonymous” user). While the firmware and package files found on the FTP server are signed, the INI files used for configuration are not.
Additionally, there is a specific INI file on the FTP server that should be writable for the connecting clients (this is by design). Since there are no credentials, essentially anyone on the network can access the FTP server and modify that INI file holding configuration for the thin client devices.
Moreover, even if credentials were set, they would be shared across a large fleet of clients, allowing them to alter each other’s INI configuration files.
When a Dell Wyse device connects to the FTP server it searches for an INI file in the form of “{username}.ini” where {username} is replaced with the username used by the terminal.
If this INI file exists, it loads the configuration from it. As noted, this file is writable, so it can be created and manipulated by an attacker to control the configuration received by a specific user.
Where possible (depending on model, see table below) upgrade your Thin Client firmware to ThinOS version 9.x which will remove the INI file management feature.
| Model | Compatibility | |
| ThinOS Version 8.x | ThinOS Version 9.x | |
| Wyse 3020 | Yes | - |
| Wyse 3030 LT | Yes | - |
| Wyse 3040 | Yes | Yes |
| Wyse 5010 | Yes | - |
| Wyse 5040 AIO | Yes | - |
| Wyse 5060 | Yes | - |
| Wyse 5070 | Yes | Yes |
| Wyse 5070 Extended | Yes | Yes |
| Wyse 5470 | Yes | Yes |
| Wyse 5470 AIO | Yes | Yes |
| Wyse 7010 | Yes | - |
If your device cannot be upgraded to ThinOS 9.x, it is recommended you disable the use of FTP for obtaining the vulnerable files.
Navigate to System Setup > Central Configuration > General.
Remove any FTP settings present. Where remote management is required, please use other methods - https server or Wyse Management Suite. Information on configuring those can be found online on Dell’s website.
Dell Wyse uses DHCP option tags 161 and 162 to configure the ThinOS client, file server and path information. Make sure your DHCP server does not reconfigure those back to the FTP server on every DHCP interaction.
The INI files contain a long list of configurable parameters detailed on more than 100 pages by official Dell documentation.
Reading or altering those parameters opens the door to a variety of attack scenarios. Configuring and enabling VNC for full remote control, leaking remote desktop credentials, and manipulating DNS results are some of the scenarios to be aware of.
Elad Luz, Head of Research at CyberMDX
Professor Gil David, Chief Scientist of Artificial Intelligence at CyberMDX
CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The comprehensive threat intelligence analyst team tirelessly works to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices. The team’s researchers, white hackers and engineers collect information about potential and existing threats to understand attacker motivations, intentions, and methodology and deliver the best protection against attacks and malware.
CyberMDX is an IOT security leader dedicated to protecting the quality care of health delivery worldwide. CyberMDX provides cloud-based cybersecurity solutions that support the advancement of The Internet of Medical Things. The CyberMDX solution identifies endpoints and assesses vulnerabilities to detect, respond to, and prevent cyber incidents. Deployed worldwide, CyberMDX is designed to integrate with our customers’ existing environments through its scalable, easy-to-deploy and agentless solution. For more information, please click here.
