Uncontrolled Search Path Vulnerability in Dell Update Package Framework
CVE-2019-3726

6.7MEDIUM

Key Information:

Vendor: Dell
Status: Dell Emc Servers: Networking And Fibre Channel Drivers: Dell Update Package (dup) Framework File; Dell Emc Servers: All Other Drivers, BiOS And Firmware: Dell Update Package (dup) Framework File; Dell Client Platforms: Dell Update Packages (dup) Framework File
Vendor: CVE Published:; 24 September 2019

Summary

This vulnerability allows a malicious low-privileged user to exploit the execution of a trusted binary during the operation of the Dell Update Package (DUP) Framework by tricking an administrator into running it, which can lead to arbitrary code execution through the loading of a malicious DLL file. This risk emphasizes the importance of ensuring the integrity of binaries and careful management of user permissions during system updates.

Affected Version(s)

Dell Client Platforms: Dell Update Packages (DUP) Framework file < 3.8.3.67

Dell EMC Servers: all other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file < 19.1.0.413

Dell EMC Servers: Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file < 103.4.6.69

References

https://www.dell.com/support/article/SLN318693

x_refsource_CONFIRM

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 24, 2019
Vulnerability Reserved
Jan 3, 2019

Credit

Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue.