Article Number: 000137022
Medium
Dell Update Package (DUP) Framework has been updated to address a vulnerability which may be potentially exploited to compromise the system.
A (DUP) is a self-contained executable in a standard package format that updates a single software/firmware element on the system. A DUP consists of two parts:
For more details on DUPs, see DELL EMC Update Package (DUP) .
Uncontrolled Search Path Vulnerability (CVE-2019-3726)
An Uncontrolled Search Path Vulnerability is applicable to the following:
The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.
CVSSv3 Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
Uncontrolled Search Path Vulnerability (CVE-2019-3726)
An Uncontrolled Search Path Vulnerability is applicable to the following:
The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.
CVSSv3 Base Score: 6.7 (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
Affected products:
Remediation:
The following Dell Update Package (DUP) Frameworks contain a remediation to the vulnerability:
To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on Details tab to find the File version number.
Customers should use the latest DUP available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.
Dell also recommends executing DUP software packages from a protected location, one that requires administrative privileges to access as a best practice.
Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).
Affected products:
Remediation:
The following Dell Update Package (DUP) Frameworks contain a remediation to the vulnerability:
To check the DUP Framework file version, right-click on the DUP file, select Properties, and click on Details tab to find the File version number.
Customers should use the latest DUP available from Dell support when updating their systems. Customers do not need to download and rerun DUPs if the system is already running the latest BIOS, firmware, or driver content.
Dell also recommends executing DUP software packages from a protected location, one that requires administrative privileges to access as a best practice.
Dell recommends customers follow security best practices for malware protection. Customers should use security software to help protect against malware (advanced threat prevention software or anti-virus).
Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue.
Desktops & All-in-Ones, Laptops, Networking, Datacenter Scalable Solutions, PowerEdge, C Series, Entry Level & Midrange
21 Feb 2021
Dell Security Advisory