DSA-2019-174: Dell Client XPS 13 2-in-1 (7390) Configuration Vulnerability

DSA-2019-174: Dell Client XPS 13 2-in-1 (7390) Configuration Vulnerability


DSA Identifier: DSA-2019-174

CVE Identifier: CVE-2019-18579

Severity: High

Severity Rating: CVSS Base Score: 7.6 (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected products:

Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3

Summary:

Dell Client XPS 13 2-in-1 (7390) BIOS requires an update to address a configuration vulnerability.

Details:

Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3 contain a configuration vulnerability. The BIOS configuration for the "Enable Thunderbolt (and PCIe behind TBT) pre-boot modules" setting is enabled by default. A local unauthenticated attacker with physical access to a user’s system can obtain read or write access to main memory via a DMA attack during platform boot.

Resolution:

Refer to the table below for the Dell Client BIOS release containing a resolution to this vulnerability.

After applying the update, the default BIOS settings need to be applied for the change to take effect. To learn more, visit the Dell Knowledge Base article How to restore the BIOS (System Setup) defaults on a Dell Product.

Please visit the Drivers and Downloads site for updates on the applicable products. To learn more, visit the Dell Knowledge Base article Dell BIOS Updates, and download the update for your Dell computer.

Customers may use one of the Dell notification solutions to be notified and download driver, BIOS and firmware updates automatically once available.

Product

Update BIOS Version
(or greater)

Release Date (MM/DD/YYYY)
Expected Release ( Month /YYYY)

XPS 13 2-in-1 (7390)

1.1.3

12/05/2019

Credit:

Dell would like to thank Mickey Shkatov from Eclypsium for reporting this vulnerability.

Severity Rating:

For an explanation of Severity Ratings, refer to Dell Vulnerability Response Policy. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

Legal Information:

Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.





Article ID: SLN319808

Last Date Modified: 12/13/2019 12:48 PM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.