DSA-2019-065: Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability

Riepilogo: Refer to the information about the DSA-2019-065 and CVE-2019-3726, also known as the Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability.

Questo articolo si applica a Questo articolo non si applica a Questo articolo non è legato a un prodotto specifico. Non tutte le versioni del prodotto sono identificate in questo articolo.
Scopri le altre risorse

Impatto

Medium

Dettagli

Dell Update Package (DUP) Framework has been updated to address a vulnerability which may be potentially exploited to compromise the system.

 

A (DUP) is a self-contained executable in a standard package format that updates a single software/firmware element on the system.  A DUP consists of two parts:

  1. A framework providing a consistent interface for applying payloads
  2. The payload that is the firmware/BIOS/Drivers

 

For more details on DUPs, see DELL EMC Update Package (DUP) .

Uncontrolled Search Path Vulnerability (CVE-2019-3726)

 

An Uncontrolled Search Path Vulnerability is applicable to the following:

  • Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers.
  • Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. 

 

The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

CVSSv3 Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Uncontrolled Search Path Vulnerability (CVE-2019-3726)

 

An Uncontrolled Search Path Vulnerability is applicable to the following:

  • Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers.
  • Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. 

 

The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

CVSSv3 Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Dell Technologies raccomanda a tutti i clienti di prendere in considerazione sia il punteggio base CVSS, sia ogni eventuale punteggio temporale o ambientale che possa avere effetti sul livello di gravità potenziale associato a una specifica vulnerabilità di sicurezza.

Prodotti interessati e correzione

Affected products:

 

  • For Dell Client Platforms: Dell Update Packages (DUP) Framework file versions prior to 3.8.3.67.
  • For Dell EMC Servers:
    • Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file versions prior to 103.4.6.69
    • All other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413

Remediation:

The following Dell Update Package (DUP) Frameworks contain a remediation to the vulnerability:

 

  • Dell Client Platforms:  Dell Update Package (DUP) Framework file version 3.8.3.67 or later
  • Dell EMC Servers – Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file version 103.4.6.69 or later
  • Dell EMC Servers – all other Drivers, BIOS and Firmware:  Dell Update Package (DUP) framework file versions 19.1.0.413 or later

 

To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on Details tab to find the File version number.

 

Customers should use the latest DUP available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.     

 

Dell also recommends executing DUP software packages from a protected location, one that requires administrative privileges to access as a best practice.

 

Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).

Affected products:

 

  • For Dell Client Platforms: Dell Update Packages (DUP) Framework file versions prior to 3.8.3.67.
  • For Dell EMC Servers:
    • Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file versions prior to 103.4.6.69
    • All other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413

Remediation:

The following Dell Update Package (DUP) Frameworks contain a remediation to the vulnerability:

 

  • Dell Client Platforms:  Dell Update Package (DUP) Framework file version 3.8.3.67 or later
  • Dell EMC Servers – Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file version 103.4.6.69 or later
  • Dell EMC Servers – all other Drivers, BIOS and Firmware:  Dell Update Package (DUP) framework file versions 19.1.0.413 or later

 

To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on Details tab to find the File version number.

 

Customers should use the latest DUP available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.     

 

Dell also recommends executing DUP software packages from a protected location, one that requires administrative privileges to access as a best practice.

 

Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).

Ringraziamenti

Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue.

Informazioni correlate

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Dichiarazione di non responsabilità

Prodotti interessati

Desktops & All-in-Ones, Laptops, Networking, Datacenter Scalable Solutions, PowerEdge, C Series, Entry Level & Midrange
Proprietà dell'articolo
Numero articolo: 000137022
Tipo di articolo: Dell Security Advisory
Ultima modifica: 18 ago 2025
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.