DSA-2019-107: Dell Encryption Enterprise and Dell Endpoint Security Suite Enterprise Installer Uncontrolled Search Path Vulnerability

DSA-2019-107: Dell Encryption Enterprise and Dell Endpoint Security Suite Enterprise Installer Uncontrolled Search Path Vulnerability


DSA Identifier: DSA-2019-107

CVE Identifier: CVE-2019-3745

Severity: Medium

Severity Rating: CVSS Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Affected products:

Dell Encryption Enterprise prior to 10.4.0

Dell Endpoint Security Suite Enterprise prior to 2.4.0

Summary:

Dell Data Security platforms require an update to address an uncontrolled search path vulnerability that can be exploited during the installation of the product.

Details:

Uncontrolled Search Path Vulnerability (CVE-2019-3745)

The vulnerability is limited to the installers of Dell Encryption Enterprise versions prior to 10.4.0 and Dell Endpoint Security Suite Enterprise versions prior to 2.4.0. This issue is exploitable only during the installation of the product by an administrator. A local authenticated low privileged user potentially could exploit this vulnerability by staging a malicious DLL in the search path of the installer prior to its execution by a local administrator. This would cause loading of the malicious DLL, which would allow the attacker to execute arbitrary code in the context of an administrator.

Resolution:

The following Dell Data Security releases contains a resolution to this vulnerability:

Dell Encryption version 10.4.0 or later

Dell Endpoint Security Suite Enterprise 2.4.0 or later

Customers should use the latest version from Dell. Dell recommends installing the latest version of Dell Encryption to receive all of the latest security updates to the product.

Browse to the Dell Encryption Software download page for the latest version.

Dell Endpoint Security Suite Enterprise software will be made available to customers on their ddpe.credant.com accounts or can be obtained through Dell ProSupport.

Credit:

Dell would like to thank Eran Shimony for reporting this vulnerability.

Severity Rating:

For an explanation of Severity Ratings, refer to Dell Vulnerability Response Policy. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

Legal Information:

Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages.





Article ID: SLN318889

Last Date Modified: 10/03/2019 10:35 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.