DSA-2022-190- Dell SupportAssist for Home and Business PCs Security Update for Multiple Proprietary Code Vulnerabilities.
Summary: Dell SupportAssist for Home and Business PCs remediation is available for a security vulnerability that may be exploited by malicious users to compromise the affected system.
Αυτό το άρθρο ισχύει για
Αυτό το άρθρο δεν ισχύει για
Αυτό το άρθρο δεν συνδέεται με κάποιο συγκεκριμένο προϊόν.
Δεν προσδιορίζονται όλες οι εκδόσεις προϊόντων σε αυτό το άρθρο.
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-34384 | SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34385 | SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-34386 | SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-34387 | Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34388 | Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| CVE-2022-34366 | SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| CVE-2022-34389 | Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician. | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-34392 | SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-34384 | SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation. | 7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34385 | SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-34386 | SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-34387 | Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system. | 6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34388 | Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application. | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| CVE-2022-34366 | SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| CVE-2022-34389 | Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician. | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-34392 | SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Επηρεαζόμενα προϊόντα και αποκατάσταση
| CVEs Addressed |
Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-34384 | Dell SupportAssist for Home PCs | Version 3.11.2 and earlier | 3.12.3 | SupportAssist for Home PCs: There are 2 ways in which the customer can get the latest component which has the fix. 1. Manual steps: (Recommended) a. Launch SupportAssist UI b. Go to the About Page of SupportAssist UI c. Click on “Check for Latest Updates” 2. If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix.
SupportAssist for Home PCs Release Notes and User Guide SupportAssist for Business PCs: TechDirect Link for Admins Release Notes and User Guide |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34385 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34386 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34387 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34388 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34366 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| CVE-2022-34389 | Dell SupportAssist for Home PCs | Version 3.11.2 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34392 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 |
| CVEs Addressed |
Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-34384 | Dell SupportAssist for Home PCs | Version 3.11.2 and earlier | 3.12.3 | SupportAssist for Home PCs: There are 2 ways in which the customer can get the latest component which has the fix. 1. Manual steps: (Recommended) a. Launch SupportAssist UI b. Go to the About Page of SupportAssist UI c. Click on “Check for Latest Updates” 2. If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix.
SupportAssist for Home PCs Release Notes and User Guide SupportAssist for Business PCs: TechDirect Link for Admins Release Notes and User Guide |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34385 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34386 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34387 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34388 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34366 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 | |
| CVE-2022-34389 | Dell SupportAssist for Home PCs | Version 3.11.2 and earlier | 3.12.3 | |
| Dell SupportAssist for Business PCs | Version 3.2.0 and earlier | 3.3.0 | ||
| CVE-2022-34392 | Dell SupportAssist for Home PCs | Version 3.11.4 and earlier | 3.12.3 |
Λύσεις και μετριασμοί
None.
Revision History
| Revision | Date | Description |
| 1.0 | 2022-10-11 | Initial Release |
| 2.0 | 2022-10-12 | Update to “Affected Products and Remediation” |
Acknowledgements
Dell would like to thank Gad Abuhatzeira from SOPHTIX Security and Nave ben Naim for reporting CVE-2022-34389.
Related Information
Νομική αποποίηση ευθύνης
Επηρεαζόμενα προϊόντα
SupportAssist, SupportAssist for Home PCs, Product Security Information, SupportAssist for Business PCsΙδιότητες άρθρου
Article Number: 000204114
Article Type: Dell Security Advisory
Τελευταία τροποποίηση: 12 Οκτ 2022
Βρείτε απαντήσεις στις ερωτήσεις σας από άλλους χρήστες της Dell
Υπηρεσίες υποστήριξης
Ελέγξτε αν η συσκευή σας καλύπτεται από τις Υπηρεσίες υποστήριξης.