DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities.
概要: Dell Wyse ThinOS 8.6 MR8 contains remediations for insecure default configuration vulnerabilities that could be potentially exploited to access a writable file that can be used to manipulate the configuration of a specific thin client and potentially gain access to sensitive information leading to the compromise of thin clients. ...
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
影響
Critical
詳細
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2020-29491 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2020-29492 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2020-29491 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2020-29492 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
影響を受ける製品と修復
The following is a list of impacted products and remediations. Customers should use the latest releases available which use secure default configurations.
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
| Dell Wyse 3040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 3040 Thin Client (ENG) |
| Dell Wyse 3040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client (JPN) |
| Dell Wyse 3040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (ENG) |
| Dell Wyse 3040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (ENG) |
| Dell Wyse 5010 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (JPN) |
| Dell Wyse 5010 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (ENG) |
| Dell Wyse 5010 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (JPN) |
| Dell Wyse 5040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (ENG) |
| Dell Wyse 5040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (JPN) |
| Dell Wyse 5040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (ENG) |
| Dell Wyse 5040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5060 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client (ENG) |
| Dell Wyse 5060 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5060 Thin Client (JPN) |
| Dell Wyse 5060 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (ENG) |
| Dell Wyse 5060 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (JPN) |
| Dell Wyse 5070 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (ENG) |
| Dell Wyse 5070 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (JPN) |
| Dell Wyse 5070 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (ENG) |
| Dell Wyse 5070 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 AIO Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (ENG) |
| Dell Wyse 5470 AIO Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (JPN) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (ENG) |
| Dell Wyse 5470 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (JPN) |
| Dell Wyse 5470 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (JPN) |
| Dell Wyse 7010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 Thin Client (ENG) |
| Dell Wyse 7010 thin client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 thin client (JPN) |
The following is a list of impacted products and remediations. Customers should use the latest releases available which use secure default configurations.
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
| Dell Wyse 3040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 3040 Thin Client (ENG) |
| Dell Wyse 3040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client (JPN) |
| Dell Wyse 3040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (ENG) |
| Dell Wyse 3040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (ENG) |
| Dell Wyse 5010 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (JPN) |
| Dell Wyse 5010 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (ENG) |
| Dell Wyse 5010 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (JPN) |
| Dell Wyse 5040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (ENG) |
| Dell Wyse 5040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (JPN) |
| Dell Wyse 5040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (ENG) |
| Dell Wyse 5040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5060 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client (ENG) |
| Dell Wyse 5060 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5060 Thin Client (JPN) |
| Dell Wyse 5060 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (ENG) |
| Dell Wyse 5060 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (JPN) |
| Dell Wyse 5070 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (ENG) |
| Dell Wyse 5070 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (JPN) |
| Dell Wyse 5070 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (ENG) |
| Dell Wyse 5070 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 AIO Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (ENG) |
| Dell Wyse 5470 AIO Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (JPN) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (ENG) |
| Dell Wyse 5470 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (JPN) |
| Dell Wyse 5470 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (JPN) |
| Dell Wyse 7010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 Thin Client (ENG) |
| Dell Wyse 7010 thin client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 thin client (JPN) |
回避策と緩和策
Below are best practices to address this issue. Dell recommends customers implement one of the following:
- Secure the file server environment when using Dell Wyse ThinOS 8.6 clients – Impacted ThinOS 8.6 customers can secure their environment by updating their file servers to use a secure protocol (HTTPS instead of HTTP or FTP) and by ensuring file servers are set to read-only access.
- Deploy Dell Wyse Management Suite – Impacted ThinOS 8.6 customers can use Wyse Management Suite instead of a file server for imaging and device configuration. Wyse Management Suite communications enforce HTTPS protocol and all configurations are stored in a secure server database instead of editable configuration files.
- Deploy Dell Wyse Management Suite with ThinOS 9 – In addition to deploying Wyse Management Suite, customers with eligible Wyse clients can update their operating system to ThinOS 9 free of charge. ThinOS 9 clients do not support file server configuration, and thus this exploit does not apply to Wyse clients running ThinOS 9.
変更履歴
| Revision | Date | Description |
| 1.0 | 2020-12-21 | Initial Release |
確認
Dell would like to thank Prof. Gil David and Elad Luz of CyberMDX for reporting this vulnerability.
関連情報
法的免責事項
対象製品
Dell ThinOS文書のプロパティ
文書番号: 000180768
文書の種類: Dell Security Advisory
最終更新: 17 2月 2021
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。