DSA-2023-338: Security Update for a Dell Update Package (DUP) Framework Vulnerability
Summary: Dell Update Package (DUP) Framework remediation is available for an Uncontrolled Search Path vulnerability that could be exploited by malicious users to compromise the affected system.
Ця стаття стосується
Ця стаття не стосується
Ця стаття не стосується якогось конкретного продукту.
У цій статті зазначено не всі версії продукту.
Impact
Medium
Додаткова інформація
A (DUP) is a self-contained executable in a standard package format that updates a single software/firmware element on the system. A DUP consists of two parts: 1. A framework providing a consistent interface for applying payloads. 2. The payload is the firmware/Driver/Software. An Uncontrolled Search Path Vulnerability is applicable to Dell Update Package (DUP) Framework file versions prior to 4.9.10 used in Dell Client Platforms.
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-39254 | Dell Update Package (DUP), Versions prior to 4.9.10 contain an Uncontrolled Search Path vulnerability. A malicious user with local access to the system could potentially exploit this vulnerability to run arbitrary code as admin. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
|---|---|---|---|
| CVE-2023-39254 | Dell Update Package (DUP), Versions prior to 4.9.10 contain an Uncontrolled Search Path vulnerability. A malicious user with local access to the system could potentially exploit this vulnerability to run arbitrary code as admin. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
Продукти й засоби виправлення, яких це стосується
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
|---|---|---|---|
| Dell Update Package (DUP) Framework | Versions prior to 4.9.10 | 4.9.10 |
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
|---|---|---|---|
| Dell Update Package (DUP) Framework | Versions prior to 4.9.10 | 4.9.10 |
CAUTION: Dell recommends executing Dell Update Package (DUP) software packages from a protected location, one that requires administrative privileges to access, as a best practice.
CAUTION: Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).
Обхідні шляхи й зведення до мінімуму наслідків
NOTE: Customers should use the latest Dell Update Package (DUP) available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.
NOTE: To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on the Details tab to find the File version number.
Revision History
| Revision | Date | Description |
|---|---|---|
| 1.0 | 2024-02-13 | Initial Release |
| 2.0 | 2024-02-21 | Updated for enhanced presentation with no changes to content |
| 3.0 | 2024-02-21 | Updated for enhanced presentation with no changes to content |
| 4.0 | 2024-02-29 | Updated for enhanced presentation with no changes to content |
Acknowledgements
Dell Technologies would like to thank Dohyun Lee for reporting this issue.
Related Information
Заява про відмову від відповідальності
Продукти, яких це стосується
Dell Update Packages - Current VersionВластивості статті
Article Number: 000217701
Article Type: Dell Security Advisory
Востаннє змінено: 29 лют. 2024
Отримайте відповіді на свої запитання від інших користувачів Dell
Служба підтримки
Перевірте, чи послуги служби підтримки поширюються на ваш пристрій.