Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Article Number: 000180768


DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities.

Summary: Dell Wyse ThinOS 8.6 MR8 contains remediations for insecure default configuration vulnerabilities that could be potentially exploited to access a writable file that can be used toSee more

Article Content


Impact

Critical

Details

Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2020-29491 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-29492 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Proprietary Code CVE(s) Description CVSS Base Score CVSS Vector String
CVE-2020-29491 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-29492 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

The following is a list of impacted products and remediations. Customers should use the latest releases available which use secure default configurations.
 
Product Affected Version(s) Updated Version(s) Link to Update
Dell Wyse 3040 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 3040 Thin Client (ENG)
Dell Wyse 3040 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 3040 Thin Client (JPN)
Dell Wyse 3040 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 3040 Thin Client with PCoIP (ENG)
Dell Wyse 3040 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 3040 Thin Client with PCoIP (JPN)
Dell Wyse 5010 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5010 Thin Client (ENG)
Dell Wyse 5010 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5010 Thin Client (JPN)
Dell Wyse 5010 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5010 Thin Client with PCoIP (ENG)
Dell Wyse 5010 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5010 Thin Client with PCoIP (JPN)
Dell Wyse 5040 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5040 Thin Client (ENG)
Dell Wyse 5040 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5040 Thin Client (JPN)
Dell Wyse 5040 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5040 Thin Client with PCoIP (ENG)
Dell Wyse 5040 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5040 Thin Client with PCoIP (JPN)
Dell Wyse 5060 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5060 Thin Client (ENG)
Dell Wyse 5060 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5060 Thin Client (JPN)
Dell Wyse 5060 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5060 Thin Client with PCoIP (ENG)
Dell Wyse 5060 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5060 Thin Client with PCoIP (JPN)
Dell Wyse 5070 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5070 Thin Client (ENG)
Dell Wyse 5070 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5070 Thin Client (JPN)
Dell Wyse 5070 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5070 Thin Client with PCoIP (ENG)
Dell Wyse 5070 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5070 Thin Client with PCoIP (JPN)
Dell Wyse 5470 AIO Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client (ENG)
Dell Wyse 5470 AIO Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client (JPN)
Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client with PCoIP (ENG)
Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client with PCoIP (JPN)
Dell Wyse 5470 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5470 Thin Client (ENG)
Dell Wyse 5470 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5470 Thin Client (JPN)
Dell Wyse 5470 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5470 Thin Client with PCoIP (ENG)
Dell Wyse 5470 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 Thin Client with PCoIP (JPN)
Dell Wyse 7010 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 7010 Thin Client (ENG)
Dell Wyse 7010 thin client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 7010 thin client (JPN)
The following is a list of impacted products and remediations. Customers should use the latest releases available which use secure default configurations.
 
Product Affected Version(s) Updated Version(s) Link to Update
Dell Wyse 3040 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 3040 Thin Client (ENG)
Dell Wyse 3040 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 3040 Thin Client (JPN)
Dell Wyse 3040 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 3040 Thin Client with PCoIP (ENG)
Dell Wyse 3040 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 3040 Thin Client with PCoIP (JPN)
Dell Wyse 5010 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5010 Thin Client (ENG)
Dell Wyse 5010 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5010 Thin Client (JPN)
Dell Wyse 5010 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5010 Thin Client with PCoIP (ENG)
Dell Wyse 5010 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5010 Thin Client with PCoIP (JPN)
Dell Wyse 5040 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5040 Thin Client (ENG)
Dell Wyse 5040 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5040 Thin Client (JPN)
Dell Wyse 5040 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5040 Thin Client with PCoIP (ENG)
Dell Wyse 5040 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5040 Thin Client with PCoIP (JPN)
Dell Wyse 5060 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5060 Thin Client (ENG)
Dell Wyse 5060 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5060 Thin Client (JPN)
Dell Wyse 5060 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5060 Thin Client with PCoIP (ENG)
Dell Wyse 5060 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5060 Thin Client with PCoIP (JPN)
Dell Wyse 5070 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5070 Thin Client (ENG)
Dell Wyse 5070 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5070 Thin Client (JPN)
Dell Wyse 5070 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5070 Thin Client with PCoIP (ENG)
Dell Wyse 5070 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5070 Thin Client with PCoIP (JPN)
Dell Wyse 5470 AIO Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client (ENG)
Dell Wyse 5470 AIO Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client (JPN)
Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client with PCoIP (ENG)
Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 AIO Thin Client with PCoIP (JPN)
Dell Wyse 5470 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5470 Thin Client (ENG)
Dell Wyse 5470 Thin Client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5470 Thin Client (JPN)
Dell Wyse 5470 Thin Client with PCoIP (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 5470 Thin Client with PCoIP (ENG)
Dell Wyse 5470 Thin Client with PCoIP (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol
 
8.6 MR8 Dell Wyse 5470 Thin Client with PCoIP (JPN)
Dell Wyse 7010 Thin Client (ENG) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 7010 Thin Client (ENG)
Dell Wyse 7010 thin client (JPN) Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol 8.6 MR8 Dell Wyse 7010 thin client (JPN)

Workarounds and Mitigations

Below are best practices to address this issue. Dell recommends customers implement one of the following:

  • Secure the file server environment when using Dell Wyse ThinOS 8.6 clients – Impacted ThinOS 8.6 customers can secure their environment by updating their file servers to use a secure protocol (HTTPS instead of HTTP or FTP) and by ensuring file servers are set to read-only access. 
  • Deploy Dell Wyse Management Suite – Impacted ThinOS 8.6 customers can use Wyse Management Suite instead of a file server for imaging and device configuration. Wyse Management Suite communications enforce HTTPS protocol and all configurations are stored in a secure server database instead of editable configuration files.
  • Deploy Dell Wyse Management Suite with ThinOS 9 – In addition to deploying Wyse Management Suite, customers with eligible Wyse clients can update their operating system to ThinOS 9 free of charge. ThinOS 9 clients do not support file server configuration, and thus this exploit does not apply to Wyse clients running ThinOS 9.   

Acknowledgements

Dell would like to thank Prof. Gil David and Elad Luz of CyberMDX for reporting this vulnerability.

Revision History

RevisionDateDescription
1.02020-12-21Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide


The information in this Dell Technologies Security Advisory should be read and used to assist in avoiding situations that may arise from the problems described herein. Dell Technologies distributes Security Advisories to bring important security information to the attention of users of the affected product(s). Dell Technologies assesses the risk based on an average of risks across a diverse set of installed systems and may not represent the actual risk to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. The information set forth herein is provided "as is" without warranty of any kind. Dell Technologies expressly disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation shall apply to the extent permissible under law.

Article Properties


Affected Product

Wyse ThinOS

Last Published Date

17 Feb 2021

Version

2

Article Type

Dell Security Advisory

Rate This Article


Accurate
Useful
Easy to Understand
Was this article helpful?

0/3000 characters