DSA-2019-107: Dell Encryption Enterprise and Dell Endpoint Security Suite Enterprise Installer Uncontrolled Search Path Vulnerability
Résumé: Dell Data Security platforms require an update to address an uncontrolled search path vulnerability that can be exploited during the installation of the product.
Impact
Medium
Détails
Uncontrolled Search Path Vulnerability (CVE-2019-3745)
CVSS Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
The vulnerability is limited to the installers of Dell Encryption Enterprise versions prior to 10.4.0 and Dell Endpoint Security Suite Enterprise versions prior to 2.4.0. This issue is exploitable only during the installation of the product by an administrator. A local authenticated low privileged user potentially could exploit this vulnerability by staging a malicious DLL in the search path of the installer prior to its execution by a local administrator. This would cause loading of the malicious DLL, which would allow the attacker to execute arbitrary code in the context of an administrator.
Uncontrolled Search Path Vulnerability (CVE-2019-3745)
CVSS Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
The vulnerability is limited to the installers of Dell Encryption Enterprise versions prior to 10.4.0 and Dell Endpoint Security Suite Enterprise versions prior to 2.4.0. This issue is exploitable only during the installation of the product by an administrator. A local authenticated low privileged user potentially could exploit this vulnerability by staging a malicious DLL in the search path of the installer prior to its execution by a local administrator. This would cause loading of the malicious DLL, which would allow the attacker to execute arbitrary code in the context of an administrator.
Produits concernés et mesure corrective
Affected products:
Dell Encryption Enterprise prior to 10.4.0
Dell Endpoint Security Suite Enterprise prior to 2.4.0
Remediation:
The following Dell Data Security releases contains a resolution to this vulnerability:
Dell Encryption version 10.4.0 or later
Dell Endpoint Security Suite Enterprise 2.4.0 or later
Customers should use the latest version from Dell. Dell recommends installing the latest version of Dell Encryption to receive all of the latest security updates to the product.
Browse to the Dell Encryption Software download page for the latest version.
Dell Endpoint Security Suite Enterprise software will be made available to customers on their ddpe.credant.com accounts or can be obtained through Dell ProSupport.
Affected products:
Dell Encryption Enterprise prior to 10.4.0
Dell Endpoint Security Suite Enterprise prior to 2.4.0
Remediation:
The following Dell Data Security releases contains a resolution to this vulnerability:
Dell Encryption version 10.4.0 or later
Dell Endpoint Security Suite Enterprise 2.4.0 or later
Customers should use the latest version from Dell. Dell recommends installing the latest version of Dell Encryption to receive all of the latest security updates to the product.
Browse to the Dell Encryption Software download page for the latest version.
Dell Endpoint Security Suite Enterprise software will be made available to customers on their ddpe.credant.com accounts or can be obtained through Dell ProSupport.
Remerciements
Dell would like to thank Eran Shimony for reporting this vulnerability.