DSA-2023-279: Security Update for Dell SupportAssist for Business PCs Vulnerability
Summary: In Dell SupportAssist for Business PCs with the SupportAssist User Interface available, a locally authenticated user can bypass authentication and exclusively utilize the "Run as Administrator" component on the respective PC to perform driver scans and installations without acquiring any additional administrator privileges. This temporary privilege self-expires after 15 minutes. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Medium
Details
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|---|---|---|---|
| CVE-2023-39249 | Dell SupportAssist for Business PCs version 3.4.0 contains a local Authentication Bypass vulnerability that allows locally authenticated non-admin users to gain temporary privilege within the SupportAssist User Interface on their respective PC. The Run as Admin temporary privilege feature enables IT/System Administrators to perform driver scans and Dell-recommended driver installations without requiring them to log out of the local non-admin user session. However, the granted privilege is limited solely to the SupportAssist User Interface and automatically expires after 15 minutes. | 6.3 (Medium) | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
| Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|---|---|---|---|
| CVE-2023-39249 | Dell SupportAssist for Business PCs version 3.4.0 contains a local Authentication Bypass vulnerability that allows locally authenticated non-admin users to gain temporary privilege within the SupportAssist User Interface on their respective PC. The Run as Admin temporary privilege feature enables IT/System Administrators to perform driver scans and Dell-recommended driver installations without requiring them to log out of the local non-admin user session. However, the granted privilege is limited solely to the SupportAssist User Interface and automatically expires after 15 minutes. | 6.3 (Medium) | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
Affected Products & Remediation
| CVEs Addressed |
Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
|---|---|---|---|---|---|
| CVE-2023-39249 | SupportAssist for Business PCs | Software | 3.4.0 | 3.4.1 | https://www.dell.com/support/home/en-us/product-support/product/supportassist-business-pcs/ |
| CVEs Addressed |
Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
|---|---|---|---|---|---|
| CVE-2023-39249 | SupportAssist for Business PCs | Software | 3.4.0 | 3.4.1 | https://www.dell.com/support/home/en-us/product-support/product/supportassist-business-pcs/ |
Workarounds & Mitigations
| CVE ID | Workaround and Mitigation |
|---|---|
| CVE-2023-39249 | Users need to keep the SupportAssist Business PCs updated to the latest version. |
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2023-08-08 | Initial Release |
Related Information
Legal Disclaimer
Affected Products
SupportAssist, SupportAssist for Business PCsArticle Properties
Article Number: 000216574
Article Type: Dell Security Advisory
Last Modified: 08 Aug 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.