Vulnerability-Lookup

CNVD-2024-00194

Vulnerability from cnvd - Published: 2024-01-03

Title

Dell Rugged Control Center访问控制错误漏洞

Description

Dell Rugged Control Center是美国戴尔（Dell）公司的一个应用程序。允许在坚固的设备上配置一系列设置，例如应用程序设置、键盘背光设置、夜间模式设置、隐身模式设置、窗口设置、天线开关设置和GPS设置。 Dell Rugged Control Center 4.7之前版本存在访问控制错误漏洞，攻击者可利用该漏洞在产品安装和升级过程中修改文件夹中的内容，从而进行权限提升。

Severity

中

Patch Name

Dell Rugged Control Center访问控制错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=4M3T2

Reference

https://www.dell.com/support/kbdoc/en-us/000217705/dsa-2023-340

Impacted products

Name
DELL Dell Rugged Control Center <4.7

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-39257",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-39257"
    }
  },
  "description": "Dell Rugged Control Center\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u3002\u5141\u8bb8\u5728\u575a\u56fa\u7684\u8bbe\u5907\u4e0a\u914d\u7f6e\u4e00\u7cfb\u5217\u8bbe\u7f6e\uff0c\u4f8b\u5982\u5e94\u7528\u7a0b\u5e8f\u8bbe\u7f6e\u3001\u952e\u76d8\u80cc\u5149\u8bbe\u7f6e\u3001\u591c\u95f4\u6a21\u5f0f\u8bbe\u7f6e\u3001\u9690\u8eab\u6a21\u5f0f\u8bbe\u7f6e\u3001\u7a97\u53e3\u8bbe\u7f6e\u3001\u5929\u7ebf\u5f00\u5173\u8bbe\u7f6e\u548cGPS\u8bbe\u7f6e\u3002\n\nDell Rugged Control Center 4.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4ea7\u54c1\u5b89\u88c5\u548c\u5347\u7ea7\u8fc7\u7a0b\u4e2d\u4fee\u6539\u6587\u4ef6\u5939\u4e2d\u7684\u5185\u5bb9\uff0c\u4ece\u800c\u8fdb\u884c\u6743\u9650\u63d0\u5347\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=4M3T2",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-00194",
  "openTime": "2024-01-03",
  "patchDescription": "Dell Rugged Control Center\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u3002\u5141\u8bb8\u5728\u575a\u56fa\u7684\u8bbe\u5907\u4e0a\u914d\u7f6e\u4e00\u7cfb\u5217\u8bbe\u7f6e\uff0c\u4f8b\u5982\u5e94\u7528\u7a0b\u5e8f\u8bbe\u7f6e\u3001\u952e\u76d8\u80cc\u5149\u8bbe\u7f6e\u3001\u591c\u95f4\u6a21\u5f0f\u8bbe\u7f6e\u3001\u9690\u8eab\u6a21\u5f0f\u8bbe\u7f6e\u3001\u7a97\u53e3\u8bbe\u7f6e\u3001\u5929\u7ebf\u5f00\u5173\u8bbe\u7f6e\u548cGPS\u8bbe\u7f6e\u3002\r\n\r\nDell Rugged Control Center 4.7\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4ea7\u54c1\u5b89\u88c5\u548c\u5347\u7ea7\u8fc7\u7a0b\u4e2d\u4fee\u6539\u6587\u4ef6\u5939\u4e2d\u7684\u5185\u5bb9\uff0c\u4ece\u800c\u8fdb\u884c\u6743\u9650\u63d0\u5347\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell Rugged Control Center\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "DELL Dell Rugged Control Center \u003c4.7"
  },
  "referenceLink": "https://www.dell.com/support/kbdoc/en-us/000217705/dsa-2023-340",
  "serverity": "\u4e2d",
  "submitTime": "2023-12-05",
  "title": "Dell Rugged Control Center\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2023-39257 (GCVE-0-2023-39257)

Vulnerability from cvelistv5 – Published: 2023-12-02 04:22 – Updated: 2024-08-02 18:02

Summary

Dell Rugged Control Center, version prior to 4.7, contains an Improper Access Control vulnerability. A local malicious standard user could potentially exploit this vulnerability to modify the content in an unsecured folder when product installation repair is performed, leading to privilege escalation on the system.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-284 - Improper Access Control

Assigner

dell

References

URL

Tags

https://www.dell.com/support/kbdoc/en-us/00021770…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Dell	Rugged Control Center (RCC)	Affected: Versions prior to 4.7

Date Public ?

2023-11-30 06:30

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:02:06.891Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.dell.com/support/kbdoc/en-us/000217705/dsa-2023-340"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Rugged Control Center (RCC)",
          "vendor": "Dell",
          "versions": [
            {
              "status": "affected",
              "version": "Versions prior to 4.7"
            }
          ]
        }
      ],
      "datePublic": "2023-11-30T06:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDell Rugged Control Center, version prior to 4.7, contains an Improper Access Control vulnerability. A local malicious standard user could potentially exploit this vulnerability to modify the content in an unsecured folder when product installation repair is performed, leading to privilege escalation on the system.\u003c/span\u003e\n\n"
            }
          ],
          "value": "\nDell Rugged Control Center, version prior to 4.7, contains an Improper Access Control vulnerability. A local malicious standard user could potentially exploit this vulnerability to modify the content in an unsecured folder when product installation repair is performed, leading to privilege escalation on the system.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-02T04:22:05.478Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000217705/dsa-2023-340"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2023-39257",
    "datePublished": "2023-12-02T04:22:05.478Z",
    "dateReserved": "2023-07-26T08:15:44.774Z",
    "dateUpdated": "2024-08-02T18:02:06.891Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-00194

CVE-2023-39257 (GCVE-0-2023-39257)

Tags

Sightings

Nomenclature