Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000137022


DSA-2019-065: Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability

Summary: Refer to the information about the DSA-2019-065 and CVE-2019-3726, also known as the Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability.

Article Content


Impact

Medium

Overview

Dell Update Package (DUP) Framework has been updated to address a vulnerability which may be potentially exploited to compromise the system.

 

A (DUP) is a self-contained executable in a standard package format that updates a single software/firmware element on the system.  A DUP consists of two parts:

  1. A framework providing a consistent interface for applying payloads
  2. The payload that is the firmware/BIOS/Drivers

 

For more details on DUPs, see DELL EMC Update Package (DUP) .

Details

Uncontrolled Search Path Vulnerability (CVE-2019-3726)

 

An Uncontrolled Search Path Vulnerability is applicable to the following:

  • Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers.
  • Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. 

 

The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

CVSSv3 Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Uncontrolled Search Path Vulnerability (CVE-2019-3726)

 

An Uncontrolled Search Path Vulnerability is applicable to the following:

  • Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers.
  • Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. 

 

The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

CVSSv3 Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Affected products:

 

  • For Dell Client Platforms: Dell Update Packages (DUP) Framework file versions prior to 3.8.3.67.
  • For Dell EMC Servers:
    • Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file versions prior to 103.4.6.69
    • All other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413

Remediation:

The following Dell Update Package (DUP) Frameworks contain a remediation to the vulnerability:

 

  • Dell Client Platforms:  Dell Update Package (DUP) Framework file version 3.8.3.67 or later
  • Dell EMC Servers – Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file version 103.4.6.69 or later
  • Dell EMC Servers – all other Drivers, BIOS and Firmware:  Dell Update Package (DUP) framework file versions 19.1.0.413 or later

 

To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on Details tab to find the File version number.

 

Customers should use the latest DUP available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.     

 

Dell also recommends executing DUP software packages from a protected location, one that requires administrative privileges to access as a best practice.

 

Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).

Affected products:

 

  • For Dell Client Platforms: Dell Update Packages (DUP) Framework file versions prior to 3.8.3.67.
  • For Dell EMC Servers:
    • Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file versions prior to 103.4.6.69
    • All other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413

Remediation:

The following Dell Update Package (DUP) Frameworks contain a remediation to the vulnerability:

 

  • Dell Client Platforms:  Dell Update Package (DUP) Framework file version 3.8.3.67 or later
  • Dell EMC Servers – Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file version 103.4.6.69 or later
  • Dell EMC Servers – all other Drivers, BIOS and Firmware:  Dell Update Package (DUP) framework file versions 19.1.0.413 or later

 

To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on Details tab to find the File version number.

 

Customers should use the latest DUP available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.     

 

Dell also recommends executing DUP software packages from a protected location, one that requires administrative privileges to access as a best practice.

 

Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).

Acknowledgements

Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue.

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


Article Properties


Affected Product

Desktops & All-in-Ones, Laptops, Networking, Datacenter Scalable Solutions, PowerEdge, C Series, Entry Level & Midrange

Last Published Date

21 Feb 2021

Version

5

Article Type

Dell Security Advisory