Dell Wyse Management Suite Multiple Unquoted Service Path Vulnerabilities

CVE Identifier: CVE-2018-11063

Severity: High

Affected Products:

• Dell Wyse Management Suite (WMS) Standard 1.1 and prior
• Dell Wyse Management Suite (WMS) Pro 1.1 and prior

Summary

Dell WMS Standard and Dell WMS Pro have been updated to fix multiple unquoted service path vulnerabilities that could potentially lead to elevation of privileges.

Details

Dell WMS versions 1.1 and prior are impacted by multiple unquoted service path vulnerabilities. Affected software installs multiple services incorrectly by specifying the paths to the service executables without quotes. This could potentially allow a low-privileged local user to execute arbitrary executables with elevated privileges.

Resolution

Dell WMS 1.2 release contains resolution to these vulnerabilities. Dell recommends upgrading at the earliest opportunity. Downloads for the applicable versions are available below:

• WMS Standard: https://downloads.dell.com/wyse/WMS/1.2/
• WMS Pro: Check WMS Digital Locker at https://www.dell.com/support/software/us/en/4

Credit

Dell would like to thank Andrew Williamson of Wipro for reporting these vulnerabilities.

Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.