DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities

DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities


DSA Identifier: DSA-2019-051

CVE Identifier: CVE-2019-3718, CVE-2019-3719

Severity: High

Severity Rating: CVSS Base Score: See below for NVD Scores

Affected products:

Dell SupportAssist Client versions prior to 3.2.0.90.

Summary:

Dell SupportAssist Client has been updated to address multiple vulnerabilities which may be potentially exploited to compromise the system.

Details:

Improper Origin Validation (CVE-2019-3718)

Dell SupportAssist Client versions prior to 3.2.0.90 contain an improper origin validation vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems.

CVSSv3 Base Score: 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H)

Remote Code Execution Vulnerability (CVE-2019-3719)

Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites.

CVSSv3 Base Score: 7.1 (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Resolution:

The following Dell SupportAssist Client release contains resolutions to these vulnerabilities:

  • Dell SupportAssist Client version 3.2.0.90 and later.

Dell recommends all customers upgrade at the earliest opportunity.

Link to remedies:

Customers can download software from https://downloads.dell.com/serviceability/Catalog/SupportAssistInstaller.exe.

Credit:

Dell would like to thank John C. Hennessy-ReCar for reporting CVE-2019-3718 and Bill Demirkapi for reporting CVE-2019-3719.

Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.





문서 ID: SLN316857

최종 수정일: 04/23/2019 11:19 AM


이 문서 평가하기

정확함
유용함
이해하기 쉬운
이 문서가 도움이 되셨나요?
지원 미지원
피드백을 보내 주십시오.
의견에는 <>()\와 같은 특수 문자를 사용할 수 없습니다.
죄송합니다. 현재 피드백 시스템은 사용하실 수 없습니다. 잠시 후에 다시 시도하십시오.

피드백을 보내주셔서 감사합니다.