Dell Endpoint Security Suite Enterprise and Dell Threat Defense Escalation of Privileges Vulnerability

When the Advanced Threat Prevention agent makes a connection to the Update Service that an https connection is initiated, which prompts the ATP agent to validate that the certificate being used does come from a trusted source. The agent should also check to ensure a valid, Trusted Root CA signed the certificate. Before v1481 for Dell Endpoint Security Suite Enterprise, and v1482 for Dell Threat Defense, the Agent did not properly validate the Root CA. This could be used for a Man in the Middle attack to push a file down to the agent. However, as a secondary precaution, the Agent only accepts update packages with an identical hash to what is expected.

The impact to customers is minimal, as there are secondary checks in place to assure no fraudulent packages can be added to the Advanced Threat Prevention agent. Any update not having the expected hash is rejected before being opened.

Agent v1481.90 for Dell Endpoint Security Suite Enterprise, and v1482.90 for Dell Threat Defense has changed the setting to require validation of the entire certificate chain. Dell recommends updating all Agents to the latest version to ensure the latest protection and prevention available.

Customers leveraging Dell Endpoint Security Suite Enterprise can enable autoupdate using their Dell Security Management Server’s WebUI to receive this update and it to be applied to all their endpoints. See Endpoint Security Suite Enterprise Advanced Installation Guide v1.8 for instructions.

Dell Threat Defense customers can enable updates for their devices by following the items that are outlined under "Settings" -> "Configure Updates" in this knowledge base article here:

How To Manage Dell Threat Defense

A vertical privilege escalation attack has been identified within Dell Endpoint Security Suite Enterprise and Dell Threat Defense. An iterative approach is being taken to resolve this vulnerability. Dell is working with its partners to ensure that a fix version is available as quickly as possible.

A privilege escalation attack can allow a malicious party access to protected resources if they gain access to the computer. This type of attack requires a malicious user to have access to the device.

Customers leveraging Dell Endpoint Security Suite Enterprise can enable autoupdate using their Dell Security Management Server’s WebUI to receive this update and it to be applied to all their endpoints. See Dell Endpoint Security Suite Enterprise Advanced Installation Guide v1.8 for instructions.

Dell Threat Defense customers can enable updates for their devices by following the items that are outlined under "Settings" -> "Configure Updates" in this knowledge base article here:

How To Manage Dell Threat Defense

More information can be found here:

https://www.atredis.com/blog/cylance-privilege-escalation-vulnerability