Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

DSA-2022-190- Dell SupportAssist for Home and Business PCs Security Update for Multiple Proprietary Code Vulnerabilities.

Summary: Dell SupportAssist for Home and Business PCs remediation is available for a security vulnerability that may be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

High

Details

Proprietary Code CVEs  Description  CVSS Base Score  CVSS Vector String  
CVE-2022-34384 SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34385 SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34386 SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34387 Dell SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34388 Dell SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application. 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2022-34366 SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2022-34389 Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician. 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34392 SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Proprietary Code CVEs  Description  CVSS Base Score  CVSS Vector String  
CVE-2022-34384 SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation. 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34385 SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34386 SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34387 Dell SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system. 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34388 Dell SupportAssist for Home PCs (version 3.11.4 and prior) and  SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application. 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2022-34366 SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2022-34389 Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician. 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34392 SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information. 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed  
 		 Product  Affected Versions  Updated Versions  Link to Update 
CVE-2022-34384 Dell SupportAssist for Home PCs  Version 3.11.2 and earlier   3.12.3 SupportAssist for Home PCs:
There are 2 ways in which the customer can get the latest component which has the fix.  
1. Manual steps: (Recommended)  
a. Launch SupportAssist UI   
b. Go to the About Page of SupportAssist UI  
c. Click on “Check for Latest Updates”  
  
2. If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix.
  • Auto-update setting can be verified by going to Settings Page, Privacy option.
Links:
SupportAssist for Home PCs 
Release Notes and User Guide


SupportAssist for Business PCs:
TechDirect Link for Admins
Release Notes and User Guide
 
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34385 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34386 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34387 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34388 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34366 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
CVE-2022-34389 Dell SupportAssist for Home PCs  Version 3.11.2 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34392 Dell SupportAssist for Home PCs Version 3.11.4 and earlier 3.12.3
CVEs Addressed  
 		 Product  Affected Versions  Updated Versions  Link to Update 
CVE-2022-34384 Dell SupportAssist for Home PCs  Version 3.11.2 and earlier   3.12.3 SupportAssist for Home PCs:
There are 2 ways in which the customer can get the latest component which has the fix.  
1. Manual steps: (Recommended)  
a. Launch SupportAssist UI   
b. Go to the About Page of SupportAssist UI  
c. Click on “Check for Latest Updates”  
  
2. If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix.
  • Auto-update setting can be verified by going to Settings Page, Privacy option.
Links:
SupportAssist for Home PCs 
Release Notes and User Guide


SupportAssist for Business PCs:
TechDirect Link for Admins
Release Notes and User Guide
 
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34385 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34386 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34387 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34388 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34366 Dell SupportAssist for Home PCs  Version 3.11.4 and earlier   3.12.3
CVE-2022-34389 Dell SupportAssist for Home PCs  Version 3.11.2 and earlier   3.12.3
Dell SupportAssist for Business PCs Version 3.2.0 and earlier   3.3.0
CVE-2022-34392 Dell SupportAssist for Home PCs Version 3.11.4 and earlier 3.12.3

Workarounds & Mitigations

None.

Revision History

 Revision  Date  Description 
 1.0  2022-10-11 Initial Release
 2.0 2022-10-12  Update to “Affected Products and Remediation” 

Acknowledgements

Dell would like to thank Gad Abuhatzeira from SOPHTIX Security and Nave ben Naim for reporting CVE-2022-34389.
 

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

SupportAssist, SupportAssist for Home PCs, Product Security Information, SupportAssist for Business PCs
Article Properties
Article Number: 000204114
Article Type: Dell Security Advisory
Last Modified: 12 Oct 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.