cnvd - cnvd-2019-34382

CNVD-2019-34382

Vulnerability from cnvd - Published: 2019-10-10

Title

Dell Update Package Framework代码问题漏洞

Description

Dell Update Package（DUP）Framework是美国戴尔（Dell）公司的一款用于更新系统组件的框架。该产品主要提供驱动程序、应用程序、BIOS和固件的安装程序。 Dell DUP Framework文件中存在代码问题漏洞，本地攻击者可通过诱使管理员运行可信的库，进而加载恶意的DLL利用该漏洞在用户系统上执行任意代码。

Severity

中

Patch Name

Dell Update Package Framework代码问题漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.dell.com/support/article/cn/zh/cnbsd1/sln318693/dsa-2019-065-dell-update-package-dup-framework-uncontrolled-search-path-vulnerability?lang=en

Reference

https://www.dell.com/support/article/SLN318693 https://nvd.nist.gov/vuln/detail/CVE-2019-3726

Impacted products

Name
['Dell Update Package (DUP) Framework file 19.1.0.413（Dell EMC Servers）', 'Dell Update Package (DUP) Framework file 103.4.6.69（Dell EMC Servers）', 'Dell Update Package (DUP) Framework file 3.8.3.67（Dell Client Platforms）']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-3726"
    }
  },
  "description": "Dell Update Package\uff08DUP\uff09Framework\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u66f4\u65b0\u7cfb\u7edf\u7ec4\u4ef6\u7684\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u63d0\u4f9b\u9a71\u52a8\u7a0b\u5e8f\u3001\u5e94\u7528\u7a0b\u5e8f\u3001BIOS\u548c\u56fa\u4ef6\u7684\u5b89\u88c5\u7a0b\u5e8f\u3002\n\nDell DUP Framework\u6587\u4ef6\u4e2d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7ba1\u7406\u5458\u8fd0\u884c\u53ef\u4fe1\u7684\u5e93\uff0c\u8fdb\u800c\u52a0\u8f7d\u6076\u610f\u7684DLL\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Alexandre Braeken\u3001Silas Cutler \u548c Eran Shimony",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.dell.com/support/article/cn/zh/cnbsd1/sln318693/dsa-2019-065-dell-update-package-dup-framework-uncontrolled-search-path-vulnerability?lang=en",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-34382",
  "openTime": "2019-10-10",
  "patchDescription": "Dell Update Package\uff08DUP\uff09Framework\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u66f4\u65b0\u7cfb\u7edf\u7ec4\u4ef6\u7684\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u63d0\u4f9b\u9a71\u52a8\u7a0b\u5e8f\u3001\u5e94\u7528\u7a0b\u5e8f\u3001BIOS\u548c\u56fa\u4ef6\u7684\u5b89\u88c5\u7a0b\u5e8f\u3002\r\n\r\nDell DUP Framework\u6587\u4ef6\u4e2d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7ba1\u7406\u5458\u8fd0\u884c\u53ef\u4fe1\u7684\u5e93\uff0c\u8fdb\u800c\u52a0\u8f7d\u6076\u610f\u7684DLL\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell Update Package Framework\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Dell Update Package (DUP) Framework file 19.1.0.413\uff08Dell EMC Servers\uff09",
      "Dell Update Package (DUP) Framework file 103.4.6.69\uff08Dell EMC Servers\uff09",
      "Dell Update Package (DUP) Framework file 3.8.3.67\uff08Dell Client Platforms\uff09"
    ]
  },
  "referenceLink": "https://www.dell.com/support/article/SLN318693\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3726",
  "serverity": "\u4e2d",
  "submitTime": "2019-09-25",
  "title": "Dell Update Package Framework\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2019-3726 (GCVE-0-2019-3726)

Vulnerability from cvelistv5 – Published: 2019-09-24 15:31 – Updated: 2024-09-16 17:58

Summary

An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers. Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

Severity ?

6.7 (Medium)


                        
                          CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

Uncontrolled Search Path Vulnerability

Assigner

dell

References

URL

Tags

https://www.dell.com/support/article/SLN318693

x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

Dell EMC

Dell EMC Servers: Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file

Affected: unspecified , < 103.4.6.69 (custom)

	Dell EMC	Dell EMC Servers: all other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file	Affected: unspecified , < 19.1.0.413 (custom)
	Dell	Dell Client Platforms: Dell Update Packages (DUP) Framework file	Affected: unspecified , < 3.8.3.67 (custom)

Credits

Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:17.986Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.dell.com/support/article/SLN318693"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Dell EMC Servers: Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file",
          "vendor": "Dell EMC",
          "versions": [
            {
              "lessThan": "103.4.6.69",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Dell EMC Servers: all other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file",
          "vendor": "Dell EMC",
          "versions": [
            {
              "lessThan": "19.1.0.413",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Dell Client Platforms: Dell Update Packages (DUP) Framework file",
          "vendor": "Dell",
          "versions": [
            {
              "lessThan": "3.8.3.67",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue."
        }
      ],
      "datePublic": "2019-09-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers. Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Uncontrolled Search Path Vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-24T15:31:31",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.dell.com/support/article/SLN318693"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.0.8"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "DATE_PUBLIC": "2019-09-12T04:00:00.000Z",
          "ID": "CVE-2019-3726",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Dell EMC Servers: Networking and Fibre Channel Drivers: Dell Update Package (DUP) Framework file",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "103.4.6.69"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Dell EMC Servers: all other Drivers, BIOS and Firmware: Dell Update Package (DUP) Framework file",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "19.1.0.413"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Dell EMC"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Dell Client Platforms: Dell Update Packages (DUP) Framework file",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.8.3.67"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Dell"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers. Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.8"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Uncontrolled Search Path Vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.dell.com/support/article/SLN318693",
              "refsource": "CONFIRM",
              "url": "https://www.dell.com/support/article/SLN318693"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2019-3726",
    "datePublished": "2019-09-24T15:31:31.400660Z",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-09-16T17:58:10.848Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-34382

CVE-2019-3726 (GCVE-0-2019-3726)

Tags

Sightings

Nomenclature