DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities.
Podsumowanie: Dell Wyse ThinOS 8.6 MR8 contains remediations for insecure default configuration vulnerabilities that could be potentially exploited to access a writable file that can be used to manipulate the configuration of a specific thin client and potentially gain access to sensitive information leading to the compromise of thin clients. ...
Ten artykuł dotyczy
Ten artykuł nie dotyczy
Ten artykuł nie jest powiązany z żadnym konkretnym produktem.
Nie wszystkie wersje produktu zostały zidentyfikowane w tym artykule.
Skutki
Critical
Szczegóły
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2020-29491 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2020-29492 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Proprietary Code CVE(s) | Description | CVSS Base Score | CVSS Vector String |
| CVE-2020-29491 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CVE-2020-29492 | Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station. | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Produkty, których dotyczy problem, i środki zaradcze
The following is a list of impacted products and remediations. Customers should use the latest releases available which use secure default configurations.
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
| Dell Wyse 3040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 3040 Thin Client (ENG) |
| Dell Wyse 3040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client (JPN) |
| Dell Wyse 3040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (ENG) |
| Dell Wyse 3040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (ENG) |
| Dell Wyse 5010 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (JPN) |
| Dell Wyse 5010 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (ENG) |
| Dell Wyse 5010 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (JPN) |
| Dell Wyse 5040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (ENG) |
| Dell Wyse 5040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (JPN) |
| Dell Wyse 5040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (ENG) |
| Dell Wyse 5040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5060 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client (ENG) |
| Dell Wyse 5060 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5060 Thin Client (JPN) |
| Dell Wyse 5060 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (ENG) |
| Dell Wyse 5060 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (JPN) |
| Dell Wyse 5070 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (ENG) |
| Dell Wyse 5070 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (JPN) |
| Dell Wyse 5070 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (ENG) |
| Dell Wyse 5070 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 AIO Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (ENG) |
| Dell Wyse 5470 AIO Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (JPN) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (ENG) |
| Dell Wyse 5470 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (JPN) |
| Dell Wyse 5470 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (JPN) |
| Dell Wyse 7010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 Thin Client (ENG) |
| Dell Wyse 7010 thin client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 thin client (JPN) |
The following is a list of impacted products and remediations. Customers should use the latest releases available which use secure default configurations.
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
| Dell Wyse 3040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 3040 Thin Client (ENG) |
| Dell Wyse 3040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client (JPN) |
| Dell Wyse 3040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (ENG) |
| Dell Wyse 3040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 3040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (ENG) |
| Dell Wyse 5010 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5010 Thin Client (JPN) |
| Dell Wyse 5010 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (ENG) |
| Dell Wyse 5010 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5010 Thin Client with PCoIP (JPN) |
| Dell Wyse 5040 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (ENG) |
| Dell Wyse 5040 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5040 Thin Client (JPN) |
| Dell Wyse 5040 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (ENG) |
| Dell Wyse 5040 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5040 Thin Client with PCoIP (JPN) |
| Dell Wyse 5060 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client (ENG) |
| Dell Wyse 5060 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5060 Thin Client (JPN) |
| Dell Wyse 5060 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (ENG) |
| Dell Wyse 5060 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5060 Thin Client with PCoIP (JPN) |
| Dell Wyse 5070 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (ENG) |
| Dell Wyse 5070 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5070 Thin Client (JPN) |
| Dell Wyse 5070 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (ENG) |
| Dell Wyse 5070 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5070 Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 AIO Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (ENG) |
| Dell Wyse 5470 AIO Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client (JPN) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 AIO Thin Client with PCoIP (JPN) |
| Dell Wyse 5470 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (ENG) |
| Dell Wyse 5470 Thin Client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client (JPN) |
| Dell Wyse 5470 Thin Client with PCoIP (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (ENG) |
| Dell Wyse 5470 Thin Client with PCoIP (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol |
8.6 MR8 | Dell Wyse 5470 Thin Client with PCoIP (JPN) |
| Dell Wyse 7010 Thin Client (ENG) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 Thin Client (ENG) |
| Dell Wyse 7010 thin client (JPN) | Versions prior to 8.6 MR8 where the Client is receiving configurations from a remote file server over an insecure protocol | 8.6 MR8 | Dell Wyse 7010 thin client (JPN) |
Obejścia problemu i środki zaradcze
Below are best practices to address this issue. Dell recommends customers implement one of the following:
- Secure the file server environment when using Dell Wyse ThinOS 8.6 clients – Impacted ThinOS 8.6 customers can secure their environment by updating their file servers to use a secure protocol (HTTPS instead of HTTP or FTP) and by ensuring file servers are set to read-only access.
- Deploy Dell Wyse Management Suite – Impacted ThinOS 8.6 customers can use Wyse Management Suite instead of a file server for imaging and device configuration. Wyse Management Suite communications enforce HTTPS protocol and all configurations are stored in a secure server database instead of editable configuration files.
- Deploy Dell Wyse Management Suite with ThinOS 9 – In addition to deploying Wyse Management Suite, customers with eligible Wyse clients can update their operating system to ThinOS 9 free of charge. ThinOS 9 clients do not support file server configuration, and thus this exploit does not apply to Wyse clients running ThinOS 9.
Historia zmian
| Revision | Date | Description |
| 1.0 | 2020-12-21 | Initial Release |
Podziękowania
Dell would like to thank Prof. Gil David and Elad Luz of CyberMDX for reporting this vulnerability.
Powiązane informacje
Zastrzeżenie prawne
Produkty, których dotyczy problem
Dell ThinOSWłaściwości artykułu
Numer artykułu: 000180768
Typ artykułu: Dell Security Advisory
Ostatnia modyfikacja: 17 lut 2021
Znajdź odpowiedzi na swoje pytania u innych użytkowników produktów Dell
Usługi pomocy technicznej
Sprawdź, czy Twoje urządzenie jest objęte usługą pomocy technicznej.