DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities

As more and more articles popping up about the “security issue” I thought it would be good to give you some insights about it.

Prof. Gil David and Elad Luz of CyberMDX reported two vulnerabilities (CVE-2020-29491 und CVE-2020-29492) to Dell some days ago and Dell took immediate action by releasing ThinOS 8.6 MR8 which fixes this vulnerability.

So far so good. However, is this really such a big security issue? Should you hurry and update all clients to be safe again?

This depends on how you are managing your ThinOS clients. If you are still using a standard FTP or HTTP server with anonymous access and read/write permissions then the clear answer is YES. Run boy, run!

But, if you are using any kind of SSL encryption, for example, HTTPS protocol, without write permissions to the WNOS share then you are safe.
The same applies if you are already using Wyse Management Suite (WMS) for managing your Thin Clients.

Conclusion: In my opinion, this is a valid security issue to point on. However, Dell never recommended using plain FTP with anonymous access and full permission. Every administrator should know that this would open all doors wide open for every hacker.
Therefore, they recommend for a long time already to rely on HTTPS or even WMS.

Read more DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities

ThinLinux 2.2 Maintenance Release 4

Today Dell has released the last update of ThinLinux 2.2, called MR4. With ThinLinux going EoML on January 31, 2021, this is the last release for ThinLinux, and customers are encouraged to evaluate and if possible, transition to Dell Hybrid Client devices.

Changes/Features

  • Ubuntu 16.04 OS updates
  • Citrix Workspace App for Linux v20.06
  • Citrix RTME 2.9
  • VMware Horizon Client 2006
  • Firefox ESR 68.11
  • Google Chrome 83
  • Vulnerability fixes including:
    • Intel Bluetooth vulnerability fix
  • Multiple fixes to address customer reported issues. 

Supported Platforms

  • Wyse 3040 Thin Clients with ThinLinux 2.2
  • Wyse 5070 Thin Clients with ThinLinux 2.2
  • Wyse 5470 Mobile Thin Clients with ThinLinux 2.2

ThinLinux 2.x for Wyse Thin Clients Transition

Overview: What’s happening?

Dell’s ThinLinux 2.x operating system will go End of Marketing Life on January 31, 2021, and End of Service Support on April 30, 2021. Current ThinLinux 2.x customers with Wyse 3040, 5070, and 5470 thin client endpoints can expect the following:  

Available Options:

Wyse 5070 – Dell Hybrid Client (DHC) conversion kit is available to migrate customers to Dell Hybrid Client (DHC) 1.1.

This option is scheduled to be released 8th of December 2020 and is based on Ubuntu Linux 18.04. Subsequent releases of DHC will be based on Ubuntu 20.04.

ThinLinux customers with Wyse 5070 configurations with 16 GB eMMC and 4 GB RAM, will only be able to migrate to DHC 1.1. Due to minimum configuration requirements for DHC 1.5 with Ubuntu 20.04 of 32 GB storage, customers with 16 GB eMMC will not be able to receive upgrades beyond DHC 1.1.

Ubuntu 18.04 will EoML on April 2023.

DHC is offered as a subscription service managed with Wyse Management Suite (WMS) Pro for DHC.

There is no migration path for Wyse 3040 and 5470 mobile thin client.

Wyse Management Suite 3.1 release

I am excited to announce that the new Wyse Management Suite 3.1 is about to be released soon.

The public cloud update for customers with US1 subscription, will begin on Friday, December 4th, at 7:00 pm PT and is expected to last 8 hours.

Customers using Wyse Management Suite Pro Cloud with EU1 subscriptions should expect it to be unavailable for 8 hours on Saturday, December 11th, 2020 from 4:00 am to 12:00 pm CET.

During this time, the portal will be unavailable and users will be redirected to a maintenance page. There may also be brief periods when the maintenance page is unreachable. However, this will not affect the Thin Clients’ ability to connect to their computing environments.

Customers using the on-prem version, can download the WMS 3.1 version here from December 4th, 2020.

What’s new in WMS 3.1

Read more Wyse Management Suite 3.1 release