DSA-2022-190- Dell SupportAssist for Home and Business PCs Security Update for Multiple Proprietary Code Vulnerabilities.

Sommaire

Article détaillé

Impact

Détails

Produits concernés et mesure corrective

Solutions de contournement et mesures d’atténuation

Historique des révisions

Remerciements

Informations connexes

Mention légale

Produits concernés

Envoyez vos commentaires

Résumé: Dell SupportAssist for Home and Business PCs remediation is available for a security vulnerability that may be exploited by malicious users to compromise the affected system.

Cet article concerne Cet article ne concerne pas Cet article n’est associé à aucun produit spécifique. Toutes les versions du produit ne sont pas identifiées dans cet article.

Consulter d’autres ressources

Impact

High

Détails

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-34384	SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command \| Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation.	7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34385	SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34386	SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34387	Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system.	6.4	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34388	Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.	7.1	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2022-34366	SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2022-34389	Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician.	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34392	SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-34384	SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command \| Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation.	7.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34385	SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34386	SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34387	Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system.	6.4	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34388	Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.	7.1	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2022-34366	SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2022-34389	Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician.	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34392	SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.	5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Dell Technologies recommande à tous les clients de prendre en compte à la fois le score de base CVSS et les scores temporels et environnementaux pertinents qui peuvent avoir un impact sur la gravité potentielle associée à une faille de sécurité donnée.

Produits concernés et mesure corrective

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2022-34384	Dell SupportAssist for Home PCs	Version 3.11.2 and earlier	3.12.3	SupportAssist for Home PCs: There are 2 ways in which the customer can get the latest component which has the fix. 1. Manual steps: (Recommended) a. Launch SupportAssist UI b. Go to the About Page of SupportAssist UI c. Click on “Check for Latest Updates” 2. If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix. Auto-update setting can be verified by going to Settings Page, Privacy option. Links: SupportAssist for Home PCs Release Notes and User Guide SupportAssist for Business PCs: TechDirect Link for Admins Release Notes and User Guide
CVE-2022-34384	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34385	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34385	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34386	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34386	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34387	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34387	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34388	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34388	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34366	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34389	Dell SupportAssist for Home PCs	Version 3.11.2 and earlier	3.12.3
CVE-2022-34389	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34392	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2022-34384	Dell SupportAssist for Home PCs	Version 3.11.2 and earlier	3.12.3	SupportAssist for Home PCs: There are 2 ways in which the customer can get the latest component which has the fix. 1. Manual steps: (Recommended) a. Launch SupportAssist UI b. Go to the About Page of SupportAssist UI c. Click on “Check for Latest Updates” 2. If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix. Auto-update setting can be verified by going to Settings Page, Privacy option. Links: SupportAssist for Home PCs Release Notes and User Guide SupportAssist for Business PCs: TechDirect Link for Admins Release Notes and User Guide
CVE-2022-34384	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34385	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34385	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34386	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34386	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34387	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34387	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34388	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34388	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34366	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3
CVE-2022-34389	Dell SupportAssist for Home PCs	Version 3.11.2 and earlier	3.12.3
CVE-2022-34389	Dell SupportAssist for Business PCs	Version 3.2.0 and earlier	3.3.0
CVE-2022-34392	Dell SupportAssist for Home PCs	Version 3.11.4 and earlier	3.12.3

Solutions de contournement et mesures d’atténuation

None.

Historique des révisions

Revision	Date	Description
1.0	2022-10-11	Initial Release
2.0	2022-10-12	Update to “Affected Products and Remediation”

Remerciements

Dell would like to thank Gad Abuhatzeira from SOPHTIX Security and Nave ben Naim for reporting CVE-2022-34389.

Informations connexes

Mention légale

Produits concernés

SupportAssist, SupportAssist for Home PCs, Product Security Information, SupportAssist for Business PCs

Numéro d’article: 000204114

Type d’article: Dell Security Advisory

Dernière modification: 12 Oct 2022

Vérifiez si votre appareil est couvert par les services de support.

DSA-2022-190- Dell SupportAssist for Home and Business PCs Security Update for Multiple Proprietary Code Vulnerabilities.

Résumé: Dell SupportAssist for Home and Business PCs remediation is available for a security vulnerability that may be exploited by malicious users to compromise the affected system.

Impact

Détails

Produits concernés et mesure corrective

Solutions de contournement et mesures d’atténuation

Historique des révisions

Remerciements

Informations connexes

Mention légale

Produits concernés

Propriétés de l’article

Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell

Services de support

Propriétés de l’article

Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell

Services de support