Allele Security Intelligence - ASA-2019-00546 – Dell Update Package (DUP) Framework: Uncontrolled Search Path Vulnerability

Allele Security Alert

ASA-2019-00546

Identifier(s)

ASA-2019-00546, CVE-2019-3726, DSA-2019-065

Title

Uncontrolled Search Path Vulnerability

Vendor(s)

Dell EMC

Product(s)

Dell Update Package (DUP) Framework

Affected version(s)

For Dell Client Platforms:

Dell Update Packages (DUP) Framework file versions prior to 3.8.3.67

For Dell EMC Servers – Networking and Fibre Channel Drivers:

Dell Update Package (DUP) Framework file versions prior to 103.4.6.69

For Dell EMC Servers – all other Drivers, BIOS and Firmware:

Dell Update Package (DUP) Framework file versions prior to 19.1.0.413

Fixed version(s)

Dell Client Platforms:

Dell Update Package (DUP) Framework file version 3.8.3.67 or later

Dell EMC Servers – Networking and Fibre Channel Drivers:

Dell Update Package (DUP) Framework file version 103.4.6.69 or later

Dell EMC Servers – all other Drivers, BIOS and Firmware:

Dell Update Package (DUP) framework file versions 19.1.0.413 or later

Proof of concept

Unknown

Description

The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

Technical details

Unknown

Credits

Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony

Reference(s)

DSA-2019-065: Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability
https://www.dell.com/support/article/us/en/04/sln318693/dsa-2019-065-dell-update-package-dup-framework-uncontrolled-search-path-vulnerability?lang=en

CVE-2019-3726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3726

CVE-2019-3726
https://nvd.nist.gov/vuln/detail/CVE-2019-3726

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

ASA-2019-00546 – Dell Update Package (DUP) Framework: Uncontrolled Search Path Vulnerability

Allele Security Alert

ASA-2019-00546

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Like this:

Related

Allele Security Alert

ASA-2019-00546

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Share this:

Like this:

Related