Dell devices: RCE vulnerabilities in SupportAssist Client

[German]The Dell Support Assist Client, which ships with Dell devices, has several vulnerabilities that allow Remote Code Execution (RCE). Dell has therefore issued an appropriate security warning.


Advertising

The details can be found in the DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities, which was released on April 23, 2019, but is still attracting attention [1, 2].

Dell SupportAssist Client with RCE vulnerabilities

Dell states that the Dell SupportAssist Client with versions prior to 3.2.0.90 is affected by multiple vulnerabilities. Dell writes:

Dell SupportAssist Client has been updated to address multiple vulnerabilities which may be potentially exploited to compromise the system.

The Dell SupportAssist client has been updated to address multiple vulnerabilities that could potentially be exploited to compromise the system. Workaround to upgrade the Dell SupportAssist Client to version 3.2.0.90.

Improper Origin Validation (CVE-2019-3718)

Dell SupportAssist client versions prior to 3.2.0.90 contain an impermissible source validation vulnerability. An unauthenticated remote attacker could exploit this vulnerability to attempt cross-site request forgery (CSRF) attacks on users of the affected systems. Dell rates this vulnerability with the CVSSv3 base score of 7.6, which is quite high.

Remote Code Execution Vulnerability (CVE-2019-3719)

Dell SupportAssist client versions prior to 3.2.0.90 included a vulnerability in the execution of remote code becomes possible. An unauthenticated attacker who shares the network access layer with the vulnerable system may compromise the vulnerable system. This is accomplished by the attacker causing an affected user to execute arbitrary executables from Web sites hosted by the attacker via the SupportAssist client. Dell rates this vulnerability with the CVSSv3 base score of 7.1 – which is quite high. 


Advertising

Dell recommends an immediate upgrade

The Dell SupportAssist Client version 3.2.0.90 and later fixes these vulnerabilities. Dell encourages all customers to upgrade to this version as soon as possible. You can download it from the following Dell page: 

Dell SupportAssist Client Version 3.2.0.90 Installer


Advertising


This entry was posted in devices, Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *