DSA-2019-065: Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability

Uncontrolled Search Path Vulnerability (CVE-2019-3726)

An Uncontrolled Search Path Vulnerability is applicable to the following:

• Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers.
• Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. 

The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

CVSSv3 Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Affected products:

• For Dell Client Platforms: Dell Update Packages (DUP) Framework file versions prior to 3.8.3.67.
• For Dell EMC Servers:
  • Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file versions prior to 103.4.6.69
  • All other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413

Remediation:

The following Dell Update Package (DUP) Frameworks contain a remediation to the vulnerability:

• Dell Client Platforms:  Dell Update Package (DUP) Framework file version 3.8.3.67 or later
• Dell EMC Servers – Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file version 103.4.6.69 or later
• Dell EMC Servers – all other Drivers, BIOS and Firmware:  Dell Update Package (DUP) framework file versions 19.1.0.413 or later

To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on Details tab to find the File version number.

Customers should use the latest DUP available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.     

Dell also recommends executing DUP software packages from a protected location, one that requires administrative privileges to access as a best practice.

Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).