DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities

As more and more articles popping up about the “security issue” I thought it would be good to give you some insights about it.

Prof. Gil David and Elad Luz of CyberMDX reported two vulnerabilities (CVE-2020-29491 und CVE-2020-29492) to Dell some days ago and Dell took immediate action by releasing ThinOS 8.6 MR8 which fixes this vulnerability.

So far so good. However, is this really such a big security issue? Should you hurry and update all clients to be safe again?

This depends on how you are managing your ThinOS clients. If you are still using a standard FTP or HTTP server with anonymous access and read/write permissions then the clear answer is YES. Run boy, run!

But, if you are using any kind of SSL encryption, for example, HTTPS protocol, without write permissions to the WNOS share then you are safe.
The same applies if you are already using Wyse Management Suite (WMS) for managing your Thin Clients.

Conclusion: In my opinion, this is a valid security issue to point on. However, Dell never recommended using plain FTP with anonymous access and full permission. Every administrator should know that this would open all doors wide open for every hacker.
Therefore, they recommend for a long time already to rely on HTTPS or even WMS.

Read more DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities