DSA Identifier: DSA-2019-174
CVE Identifier: CVE-2019-18579
Severity Rating: CVSS Base Score: 7.6 (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3
Dell Client XPS 13 2-in-1 (7390) BIOS requires an update to address a configuration vulnerability.
Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3 contain a configuration vulnerability. The BIOS configuration for the "Enable Thunderbolt (and PCIe behind TBT) pre-boot modules" setting is enabled by default. A local unauthenticated attacker with physical access to a user’s system can obtain read or write access to main memory via a DMA attack during platform boot.
Refer to the table below for the Dell Client BIOS release containing a resolution to this vulnerability.
After applying the update, the default BIOS settings need to be applied for the change to take effect. To learn more, visit the Dell Knowledge Base article How to restore the BIOS (System Setup) defaults on a Dell Product.
Please visit the Drivers and Downloads site for updates on the applicable products. To learn more, visit the Dell Knowledge Base article Dell BIOS Updates, and download the update for your Dell computer.
Customers may use one of the Dell notification solutions to be notified and download driver, BIOS and firmware updates automatically once available.
Update BIOS Version
Release Date (MM/DD/YYYY)
XPS 13 2-in-1 (7390)
Dell would like to thank Mickey Shkatov from Eclypsium for reporting this vulnerability.
For an explanation of Severity Ratings, refer to Dell Vulnerability Response Policy. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.
Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Article ID: SLN319808
Last Date Modified: 12/13/2019 12:48 PM
Thank you for your feedback.