DSA-2023-338: Security Update for a Dell Update Package (DUP) Framework Vulnerability
Résumé: Dell Update Package (DUP) Framework remediation is available for an Uncontrolled Search Path vulnerability that could be exploited by malicious users to compromise the affected system.
Cet article concerne
Cet article ne concerne pas
Cet article n’est associé à aucun produit spécifique.
Toutes les versions du produit ne sont pas identifiées dans cet article.
Impact
Medium
Détails supplémentaires
A (DUP) is a self-contained executable in a standard package format that updates a single software/firmware element on the system. A DUP consists of two parts: 1. A framework providing a consistent interface for applying payloads. 2. The payload is the firmware/Driver/Software. An Uncontrolled Search Path Vulnerability is applicable to Dell Update Package (DUP) Framework file versions prior to 4.9.10 used in Dell Client Platforms.
Détails
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-39254 | Dell Update Package (DUP), Versions prior to 4.9.10 contain an Uncontrolled Search Path vulnerability. A malicious user with local access to the system could potentially exploit this vulnerability to run arbitrary code as admin. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-39254 | Dell Update Package (DUP), Versions prior to 4.9.10 contain an Uncontrolled Search Path vulnerability. A malicious user with local access to the system could potentially exploit this vulnerability to run arbitrary code as admin. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
Produits concernés et mesure corrective
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
|---|---|---|---|
| Dell Update Package (DUP) Framework | Versions prior to 4.9.10 | 4.9.10 |
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
|---|---|---|---|
| Dell Update Package (DUP) Framework | Versions prior to 4.9.10 | 4.9.10 |
CAUTION: Dell recommends executing Dell Update Package (DUP) software packages from a protected location, one that requires administrative privileges to access, as a best practice.
CAUTION: Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).
Solutions de contournement et mesures d’atténuation
NOTE: Customers should use the latest Dell Update Package (DUP) available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.
NOTE: To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on the Details tab to find the File version number.
Historique des révisions
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-02-13 | Initial Release |
| 2.0 | 2024-02-21 | Updated for enhanced presentation with no changes to content |
| 3.0 | 2024-02-21 | Updated for enhanced presentation with no changes to content |
| 4.0 | 2024-02-29 | Updated for enhanced presentation with no changes to content |
Remerciements
Dell Technologies would like to thank Dohyun Lee for reporting this issue.
Informations connexes
Mention légale
Produits concernés
Dell Update Packages - Current VersionPropriétés de l’article
Numéro d’article: 000217701
Type d’article: Dell Security Advisory
Dernière modification: 29 févr. 2024
Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell
Services de support
Vérifiez si votre appareil est couvert par les services de support.