2025-10-23 –, Europe
By it's own definition, Dell's Wyse Management Suite is "a secure hybrid cloud management solution for Dell thin clients". While attempting to determine how secrets are encrypted in the policies pushed to thin clients, we stumbled down a rabbit hole which led to the discovery of multiple vulnerabilities.
These vulnerabilities allow not only to decrypt the secrets from policies issued to arbitrary devices, but also to fully compromise the Wyse Management Suite server, which in turn allows to take over all the devices in the thin client fleet.
While these issues are already important in the case of on-premise deployments, the risk is even higher in Dell's own cloud environment, where tenant isolation is not sufficient to prevent exploitation from one tenant to another.
This talk will walk through our process of examining Dell's Wyse Management Suite in search of weaknesses or vulnerabilities that would initially allow us to decrypt secrets found in policies pushed out to thin clients.
WMS can be seen as a sort of Configuration Manager or even Device Management solution, where thin clients can register and retrieve configuration files and applications to be deployed. This makes it an ideal target for an attacker, as compromising the server would allow to take control of any clients in the fleet.
During this research, multiple vulnerabilities were discovered. The first ones allow an attacker to impersonate legitimate devices within the system in order to recover policies and decrypt secrets found within. Additional efforts uncovered vulnerabilities that can be exploited to fully compromise the WMS server or any remote repository configured by the system. This can in turn lead to the compromise of any of the devices in the fleet.
The device impersonation issues can also be exploited within Dell's own cloud environment, where it is possible to leak information across tenants to access and compromise sensitive data and assets.
Alain Mowat is the Head of Research & Development at Orange Cyberdefense Switzerland. He joined the company (then called SCRT) in 2009 as a penetration tester and subsequently led the offensive security team in the same company for many years until turning towards R&D. While still performing various engagements throughout the year, Alain is also dedicated to exploring new approaches to be used by the offensive security industry to better secure client infrastructures.
Aside from these activities, Alain was an active member in the 0daysober CTF team that finished 3rd at DEFCON CTF in 2015 and has responsibly disclosed vulnerabilities in multiple products such as Citrix NetScaler, SonicWall, Barracuda, Twitter and McAfee.
Alain is also responsible for giving various security-related trainings at Orange Cyberdefense Switzerland and has presented at several conferences, such as Insomni’hack, where he is also one of the organisers, Secure IT VS, CyberSecurity Alliance, SIGS and Area41.