Allele Security Alert
ASA-2019-00546
Identifier(s)
ASA-2019-00546, CVE-2019-3726, DSA-2019-065
Title
Uncontrolled Search Path Vulnerability
Vendor(s)
Dell EMC
Product(s)
Dell Update Package (DUP) Framework
Affected version(s)
For Dell Client Platforms:
- Dell Update Packages (DUP) Framework file versions prior to 3.8.3.67
For Dell EMC Servers – Networking and Fibre Channel Drivers:
- Dell Update Package (DUP) Framework file versions prior to 103.4.6.69
For Dell EMC Servers – all other Drivers, BIOS and Firmware:
- Dell Update Package (DUP) Framework file versions prior to 19.1.0.413
Fixed version(s)
Dell Client Platforms:
- Dell Update Package (DUP) Framework file version 3.8.3.67 or later
Dell EMC Servers – Networking and Fibre Channel Drivers:
- Dell Update Package (DUP) Framework file version 103.4.6.69 or later
Dell EMC Servers – all other Drivers, BIOS and Firmware:
- Dell Update Package (DUP) framework file versions 19.1.0.413 or later
Proof of concept
Unknown
Description
The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.
Technical details
Unknown
Credits
Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony
Reference(s)
DSA-2019-065: Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability
https://www.dell.com/support/article/us/en/04/sln318693/dsa-2019-065-dell-update-package-dup-framework-uncontrolled-search-path-vulnerability?lang=en
CVE-2019-3726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3726
CVE-2019-3726
https://nvd.nist.gov/vuln/detail/CVE-2019-3726
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 25, 2019