DSA-2019-022: Dell Wyse Password Encoder Hard Coded Cryptographic Key Vulnerability

Summary: Dell Wyse Password Encoder and ThinLinux2 have been updated to address a security vulnerability that may potentially be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

High

Details

The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.01 contain a hard coded Cryptographic Key vulnerability. An unauthenticated remote attacker could reverse engineer the cryptographic system used in the Dell Wyse Password Encoder to discover the hard coded private key and decrypt locally stored cipher text.
 

CVSSv3 Base Score: 7.9 (AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.01 contain a hard coded Cryptographic Key vulnerability. An unauthenticated remote attacker could reverse engineer the cryptographic system used in the Dell Wyse Password Encoder to discover the hard coded private key and decrypt locally stored cipher text.
 

CVSSv3 Base Score: 7.9 (AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

Affected products:

Dell Wyse Linux Thin Clients with ThinLinux2 version prior to 2.1.0.01

Remediation:
 

The following Dell ThinLinux2 release contains a resolution to the vulnerability:

  • Dell ThinLinux2 versions 2.1.0.01 and later

Dell Technologies recommends all customers upgrade at the earliest opportunity. For more information, see Dell Knowledge Base article Drivers & Downloads FAQs.

Customers can download software from Dell Support at: 

Affected products:

Dell Wyse Linux Thin Clients with ThinLinux2 version prior to 2.1.0.01

Remediation:
 

The following Dell ThinLinux2 release contains a resolution to the vulnerability:

  • Dell ThinLinux2 versions 2.1.0.01 and later

Dell Technologies recommends all customers upgrade at the earliest opportunity. For more information, see Dell Knowledge Base article Drivers & Downloads FAQs.

Customers can download software from Dell Support at: 

Acknowledgements

Dell would like to thank Andrew Tierney at Pen Test Partners for reporting this vulnerability.

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

Wyse 3040 Thin Client, Wyse 5070 Thin Client
Article Properties
Article Number: 000142620
Article Type: Dell Security Advisory
Last Modified: 15 Mar 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.