Headline
CVE-2022-29095: DSA-2022-139 - Dell SupportAssist for Home PCs and Business PCs Security Update for Multiple Security Vulnerabilities.
Dell SupportAssist Client Consumer versions (3.10.4 and prior) and Dell SupportAssist Client Commercial versions (3.1.1 and prior) contain a cross-site scripting vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability under specific conditions leading to execution of malicious code on a vulnerable system.
Vaikutus
High
Tiedot
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-29092
Dell SupportAssist Client Consumer versions (3.11.0 and versions prior) and Dell SupportAssist Client Commercial versions (3.2.0 and versions prior) contain a privilege escalation vulnerability. A non-admin user can exploit the vulnerability and gain admin access to the system.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-29093
Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion vulnerability. Authenticated non-admin user could exploit the issue and delete arbitrary files on the system.
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE-2022-29094
Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion/overwrite vulnerability. Authenticated non-admin user could exploit the issue and delete or overwrite arbitrary files on the system.
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE-2022-29095
Dell SupportAssist Client Consumer versions (3.10.4 and prior) and Dell SupportAssist Client Commercial versions (3.1.1 and prior) contain a cross-site scripting vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability under specific conditions leading to execution of malicious code on a vulnerable system.
8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Proprietary Code CVEs
Description
CVSS Base Score
CVSS Vector String
CVE-2022-29092
Dell SupportAssist Client Consumer versions (3.11.0 and versions prior) and Dell SupportAssist Client Commercial versions (3.2.0 and versions prior) contain a privilege escalation vulnerability. A non-admin user can exploit the vulnerability and gain admin access to the system.
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-29093
Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion vulnerability. Authenticated non-admin user could exploit the issue and delete arbitrary files on the system.
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE-2022-29094
Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion/overwrite vulnerability. Authenticated non-admin user could exploit the issue and delete or overwrite arbitrary files on the system.
7.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE-2022-29095
Dell SupportAssist Client Consumer versions (3.10.4 and prior) and Dell SupportAssist Client Commercial versions (3.1.1 and prior) contain a cross-site scripting vulnerability. A remote unauthenticated malicious user could potentially exploit this vulnerability under specific conditions leading to execution of malicious code on a vulnerable system.
8.3
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-29092
Dell SupportAssist for Home PCs
Version 3.11.0 and earlier
N/A
There are two ways in which customers can get the latest component which has the fix.
1. Manual steps: (Recommended)
a. Launch SupportAssist UI,
b. Go to Home Page of SupportAssist UI,
c. Click on “Run” on Driver Scans tile.
d. Latest component with the fix will be downloaded.
- If Driver Schedule Scan is enabled (Can be checked by going to Settings Page --> Automatic Scan Options):
a. Scheduled Driver Scan will be triggered based on the scan frequency selected by user (Weekly/Monthly. By default, its weekly).
b. Latest component with the fix will be downloaded.
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
N/A
There are two ways in which customers can get the latest component which has the fix.
1. Manual steps: (Recommended)
a. Launch SupportAssist UI.
b. Go to Home Page of SupportAssist UI.
c. Click on “Run” on Driver Scans tile.
d. Latest component with the fix will be downloaded.
- If Driver Schedule Scan is enabled (Can be checked by going to Settings Page --> Automatic Scan Options):
a. Scheduled Driver Scan will be triggered based on the scan frequency selected by user (Weekly/Monthly. By default, its weekly).
b. Latest component with the fix will be downloaded.
CVE-2022-29093, CVE-2022-29094, CVE-2022-29095
Dell SupportAssist for Home PCs
3.10.4 and prior
3.11.3
SupportAssist for Home PCs
Release Notes and User Guide
Dell SupportAssist for Business PCs
3.1.1 and prior
3.2.0
TechDirect Link for Admins
Release Notes and User Guide
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2022-29092
Dell SupportAssist for Home PCs
Version 3.11.0 and earlier
N/A
There are two ways in which customers can get the latest component which has the fix.
1. Manual steps: (Recommended)
a. Launch SupportAssist UI,
b. Go to Home Page of SupportAssist UI,
c. Click on “Run” on Driver Scans tile.
d. Latest component with the fix will be downloaded.
- If Driver Schedule Scan is enabled (Can be checked by going to Settings Page --> Automatic Scan Options):
a. Scheduled Driver Scan will be triggered based on the scan frequency selected by user (Weekly/Monthly. By default, its weekly).
b. Latest component with the fix will be downloaded.
Dell SupportAssist for Business PCs
Version 3.2.0 and earlier
N/A
There are two ways in which customers can get the latest component which has the fix.
1. Manual steps: (Recommended)
a. Launch SupportAssist UI.
b. Go to Home Page of SupportAssist UI.
c. Click on “Run” on Driver Scans tile.
d. Latest component with the fix will be downloaded.
- If Driver Schedule Scan is enabled (Can be checked by going to Settings Page --> Automatic Scan Options):
a. Scheduled Driver Scan will be triggered based on the scan frequency selected by user (Weekly/Monthly. By default, its weekly).
b. Latest component with the fix will be downloaded.
CVE-2022-29093, CVE-2022-29094, CVE-2022-29095
Dell SupportAssist for Home PCs
3.10.4 and prior
3.11.3
SupportAssist for Home PCs
Release Notes and User Guide
Dell SupportAssist for Business PCs
3.1.1 and prior
3.2.0
TechDirect Link for Admins
Release Notes and User Guide
Kiitokset
Dell would like to thank Molybdenum for reporting CVE-2022-29092 and Patrick Murphy for reporting CVE-2022-29093, CVE-2022-29094.
Versiohistoria
Revision
Date
Description
1.0
2022-06-09
Initial Draft
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan “sellaisenaan” ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.
09 kesäk. 2022