Headline
CVE-2023-32458: DSA-2023-331: Dell EMC AppSync Security Update for Dell Embedded Service Enabler vulnerability.
Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack releases, contains an improper access control vulnerability in Embedded Service Enabler component. A local malicious user could potentially exploit this vulnerability during installation leading to a privilege escalation.
Impact
High
Details
Proprietary Code CVE
Description
CVSS Base Score
CVSS Vector String
CVE-2023-32458
Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack releases, contains an improper access control vulnerability in Embedded Service Enabler component. A local malicious user could potentially exploit this vulnerability during installation leading to a privilege escalation.
7.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Proprietary Code CVE
Description
CVSS Base Score
CVSS Vector String
CVE-2023-32458
Dell AppSync, versions 4.4.0.0 to 4.6.0.0 including Service Pack releases, contains an improper access control vulnerability in Embedded Service Enabler component. A local malicious user could potentially exploit this vulnerability during installation leading to a privilege escalation.
7.3
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.
Affected Products and Remediation
Product
Affected Versions
Updated Versions
Link to Update
Dell EMC AppSync
Versions 4.4.0.0, 4.5.0.0 and 4.6.0.0 including Service Pack releases
Versions 4.4.0.0, 4.5.0.0 and 4.6.0.0 including Service Pack releases
https://www.dell.com/support/home/product-support/product/appsync/drivers
Product
Affected Versions
Updated Versions
Link to Update
Dell EMC AppSync
Versions 4.4.0.0, 4.5.0.0 and 4.6.0.0 including Service Pack releases
Versions 4.4.0.0, 4.5.0.0 and 4.6.0.0 including Service Pack releases
https://www.dell.com/support/home/product-support/product/appsync/drivers
Acknowledgements
Dell Technologies would like to thank Gee-netics for reporting this issue.
Revision History
Revision
Date
Description
1.0
2023-09-27
Initial Release
Related Information
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Additional Information
The vulnerability is exploitable during only fresh install of AppSync releases. The user should make sure that the install path or directory targeted for AppSync server installation is empty.
AppSync 4.6.0.0 document: AppSync 4.6 Installation and Configuration Guide (dell.com)
AppSync 4.5.0.0 document: AppSync 4.5 Installation and Configuration Guide (dell.com)
AppSync 4.4.0.0 document: Dell EMC AppSync 4.4 SP1 Installation and Configuration Guide