Headline
CVE-2022-34366: DSA-2022-190- Dell SupportAssist for Home and Business PCs Security Update for Multiple Proprietary Code Vulnerabilities.
Dell SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.
Vaikutus
High
Tiedot
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-34384
SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34385
SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34386
SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34387
Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system.
6.4
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34388
Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2022-34366
SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2022-34389
Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician.
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34392
SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-34384
SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34385
SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34386
SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-34387
Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system.
6.4
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-34388
Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2022-34366
SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2022-34389
Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician.
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2022-34392
SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-34384
Dell SupportAssist for Home PCs
Version 3.11.2 and earlier
3.12.3
SupportAssist for Home PCs:
There are 2 ways in which the customer can get the latest component which has the fix.
1. Manual steps: (Recommended)
a. Launch SupportAssist UI
b. Go to the About Page of SupportAssist UI
c. Click on “Check for Latest Updates”
- If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix.
- Auto-update setting can be verified by going to Settings Page, Privacy option.
Links:
SupportAssist for Home PCs
Release Notes and User Guide
SupportAssist for Business PCs:
TechDirect Link for Admins
Release Notes and User Guide
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34385
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34386
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34387
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34388
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34366
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
CVE-2022-34389
Dell SupportAssist for Home PCs
Version 3.11.2 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34392
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-34384
Dell SupportAssist for Home PCs
Version 3.11.2 and earlier
3.12.3
SupportAssist for Home PCs:
There are 2 ways in which the customer can get the latest component which has the fix.
1. Manual steps: (Recommended)
a. Launch SupportAssist UI
b. Go to the About Page of SupportAssist UI
c. Click on “Check for Latest Updates”
- If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix.
- Auto-update setting can be verified by going to Settings Page, Privacy option.
Links:
SupportAssist for Home PCs
Release Notes and User Guide
SupportAssist for Business PCs:
TechDirect Link for Admins
Release Notes and User Guide
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34385
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34386
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34387
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34388
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34366
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
CVE-2022-34389
Dell SupportAssist for Home PCs
Version 3.11.2 and earlier
3.12.3
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
3.3.0
CVE-2022-34392
Dell SupportAssist for Home PCs
Version 3.11.4 and earlier
3.12.3
Keinoja ongelman kiertämiseen tai lieventämiseen
None.
Kiitokset
Dell would like to thank Gad Abuhatzeira from SOPHTIX Security and Nave ben Naim for reporting CVE-2022-34389.
Versiohistoria
Revision
Date
Description
1.0
2022-10-11
Initial Release
2.0
2022-10-12
Update to “Affected Products and Remediation”
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
SupportAssist, SupportAssist for Home PCs, Product Security Information, SupportAssist for Business PCs
12 lokak. 2022