back to article Dell Wyse Thin Client scores two perfect 10 security flaws

Dell, which pitches its Wyse ThinOS as "the most secure thin client operating system," plans to publish an advisory on Monday for two severe security vulnerabilities. CVE-2020-29491 and CVE-2020-29492 are both critical flaws, managing a perfect (although unwelcome) CVSS score of 10 out of 10. The vulnerabilities, which affect …

  1. Mr Dogshit

    LOL

    Wyse guys

    1. Halfmad

      Re: LOL

      Or as we use to call them..

      Why Guys?

  2. RM Myers
    FAIL

    Good Job Dell!

    According to Dell's website, "Wyse Thin Clients Accelerate your cloud strategy and enhance virtual workspaces with intelligent unified management and the ultimate security solutions."

    Way to go Dell - a perfect 10 for 10 - definitely the ultimate security (security fauilure, that is)! Evidently security was part of the "fat" they removed to get to a "thin" client.

  3. WolfFan

    “Dude! You’re hacking a Dell!”

    No further comment.

    1. jake Silver badge

      Re: “Dude! You’re hacking a Dell!”

      It's hardly hacking when you are waved in and allowed to do whatever you like.

  4. redpawn

    The Fools Mate of ...

    Security!

  5. katrinab Silver badge
    Mushroom

    An anonymous, world writable FTP server on IIS?!

    I just have no words to describe this.

    1. tcmonkey

      It shouldn't have even gotten through the design meeting/code review. Absolutely farcical.

      1. jake Silver badge

        They were invented, built and sold by Marketing, not Engineering. There is no Marketing course for code review or system design, therefore they don't exist.

        1. Brian Miller

          The code review for Marketing is, "Uh, that looks like code." The design review is, "Uh, that looks shiny!"

          After all, we all know that Marketing has been polishing turds since time immemorial.

      2. Anonymous Coward
        Anonymous Coward

        I'd love to see a post-mortem

        Indeed. Lots of predictable comments here about how stupid everyone else¹ is, etc., but the thing is, I really have difficulty believing that in 2020 anyone in a position to implement this product would not have been aware of the risks involved in something like using FTP (and anonymous, at that) so I tend to think "there but for the grace of God…"²

        I doubt Dell will do this, but a public report of how they managed to ship with such a fundamental holebarn door wide open should make, I expect, for some very instructive reading.

        ¹ I don't understand how companies don't just go and hire every commentard in here, surely no more bugs ever, all the code would be at its most efficient, the design would be clean and clear, etc., etc.!

        ² Former commercial pilot. Even knowing how impossibly stupendous we all were (source: ourselves), things still went wrong from time to time and it was always good to learn how the holes in the cheese managed to line up.

    2. Halfmad

      Think of it as lots of free happy honeypots on the network.

      Unintended.. but fully functioning.

  6. tcmonkey

    Unsurprising

    Never liked ThinOS. If you're going to be running thin clients, then you should be running either the Windows Embedded variants or a proper Linux. Neither are especially difficult to manage, and both are better thought out than this mess.

  7. sbt
    Facepalm

    Perfect 10? It goes up to 11. The stupid, that is.

    I wondered why TF the clients needed write access to the server and it wasn't explained in either CyberMDX or Dell's reports.

    In the referenced Thin client reference guide, however, reveals all (p. 7, my emphasis):

    7 {username}.ini Files must be Write-Enabled

    All {username}.ini files must be write-enabled to allow the thin client to place the encrypted user passwords in the files.

    At that point, I stopped reading.

  8. RobThBay

    I didn't know thin clients were still a "thing". I thought they vanished about 20 years ago.

    1. Anonymous Coward
      Anonymous Coward

      I've noticed they keep popping back up in managements minds every few years, just as the reasons for ditching them fade usually or a new person hire starts.

    2. jake Silver badge

      Thin clients still have a place in Corporate infrastructure. Rather sadly, that place is not usually properly defined by "We'll save tons of money!!!" ...

    3. Anonymous Coward
      Anonymous Coward

      > I didn't know thin clients were still a "thing". I thought they vanished about 20 years ago.

      On the contrary. In the days of cloud-based everything, every computer is in effect a "thin" client (for some definition of "thin").

  9. DrXym

    Oopsy

    I can understand this happening in some random webcam firmware. In Dell's "secure" platform? Not so much unless they were trying to win some kind of prize for hubris.

  10. MarkET

    FTP?

    Enough said. Game over. Player 2 please.

    1. jake Silver badge

      Re: FTP?

      Nothing wrong with good old FTP, when used properly.

      1. Anonymous Coward
        Anonymous Coward

        Re: FTP?

        > Nothing wrong with good old FTP, when used properly.

        Could you offer some examples of when it would be used properly these days?

        I am just trying to understand how Dell managed to wreck this train and I reject the facile explanation that "they're just idiots". Perhaps each team thought they were taking limited risks but they failed to see how in the big picture all the risks lined up like a railway tunnel? I don't know, but honestly interested to know: in which application would you use FTP in (nearly) 2021 and why? Cheers.

        1. vtcodger Silver badge

          Re: FTP?

          "Could you offer some examples of when it would be used properly these days?"

          I don't know about anybody else, but I use it to maintain my website. It is simple. It moves files. It is scriptable. It needs a userID and password for access. What alternative would you propose that doesn't do pretty much the same thing -- probably in a more complicated way -- with pretty much the same vulnerabilities?

          It took me many decades, but I eventually learned by trial and error that overly simplistic "solutions" don't work because they are flawed and overly complex "solutions" don't work (for me) because I am flawed. FTP seems a reasonable compromise (for me).

          1. katrinab Silver badge
            Paris Hilton

            Re: FTP?

            Something along the lines of

            rsync -az --delete -/website/ remotehost:/usr/local/www/

          2. Anonymous Coward
            Anonymous Coward

            Re: FTP?

            Thank you for offering an example.

            Are you aware that your username and password are being sent in the clear for everyone to see (as is the data), and that due to their diminished popularity FTP daemons are not receiving as much love as they used to, making them more vulnerable to 0days?

            For my personal website (when I had one), I usually opened Dolphin, split the window into two panes with F3, then clicked on the shortcut to the SFTP URL pointing to my server's files (e.g., sftp://example.com/srv/www/htdocs/) and dragged the files across.

            Alternatively, you could achieve the same thing on the command line via scp.

            Aside from the low-hanging security advantages, it also saves you from having to install a dedicated server process, assuming that your remote box already runs sshd anyway.

            1. FILE_ID.DIZ
              Boffin

              Re: FTP?

              FTPS over TCP/990 is inherently encrypted. Plus, it solves all the shit with NAT, passive port ranges and those shenanigans.

              FTES over TCP/21 is better than no encryption, but reverse proxies/security appliances sometimes have problems with it. This uses explicit encryption, eg: the client must request a secure channel prior to credential passing. A FTP server that I am familiar with allows for per-login name enforcement of explicit encryption. Thereby preventing any client that isn't an idiot, eg: follows the relevant RFC, couldn't accidentally disclose a password over clear-text.

              FTP has evolved just like HTTP has.

              FTP has evolved just like inherently encrypted SMTP (TCP/465) has.

              At the end of the day, there are several ways to skin a cat securely.

        2. Trixr

          Re: FTP?

          Internal network management group who refuse to open an SSL port so we can upload some stinking files from internal windows host to a perimeter web server?

          Just a random example that sprung to mind.

      2. DrXym

        Re: FTP?

        FTP / TFTP might still be suitable for some niche roles. But if then there isn't much excuse in the general case for not using something more secure like scp. At least then the user/password authentication is encrypted. Most embedded devices will go even further and will implement something like port knocking or a USB master key so the device won't even listen for ssh commands unless it is preceded by some signal. That's in addition to signed firmware, locked down / disabled root etc.

  11. DutchBasterd

    Oh wow. Version 9 dropped support for EVERYTHING except Citrix. Great, we use them with VMWare.

  12. Anonymous Coward
    Anonymous Coward

    Thin client...

    ... fat headed idiot coder

  13. Robert Carnegie Silver badge

    FTP does things that telnet can't!

    And shouldn't!

  14. Uncle Ron

    I Know Nothing...

    I don't know a thing about these Wyse clients, but if they use VNC for any part of their function I wouldn't be caught dead recommending it or using it. I use VNC at home to remotely control and use the PC's in my home network (8 of them,) and the performance is awful. Barely usable. So, No Thanks Wyse.

  15. J. Cook Silver badge

    My guess is the intention is that they are intended to be used on a 'protected' or 'secured' network? Still, terrible idea.

    We tried it a while ago at [RedactedCo], and it was shite.

  16. ShazadM

    Use KACE

    Can't Dell use KACE to do these pushes?

    1. EnviableOne

      Re: Use KACE

      Nah, they spun it out

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like