Advisory for Dell Security Update

  • NIC-CERT/2022-10/431
  • Date: 2022-10-12
  • CVE ID: Multiple
  • Severity: High
  1. Description:

A vulnerability has been reported in Dell product which could allow an attacker to compromise the affected system.

  1. Security Issues Fixed:

Dell SupportAssist for Home and Business PCs remediation is available for a security vulnerability that may be exploited by malicious users to compromise the affected system. Dell XtremIO remediation is available for SSH and Web UI vulnerability that could be exploited by malicious users to compromise the affected system. Dell EMC VPLEX remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

  1. Details:

Proprietary Code CVEs

Description

CVSS Base Score

CVE-2022-34384

SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation.

7.8

CVE-2022-34385

SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.

5.5

CVE-2022-34386

SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.

5.5

CVE-2022-34387

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system.

6.4

CVE-2022-34388

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.

7.1

CVE-2022-34366

SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information

6.5

CVE-2022-34389

Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician.

3.7

CVE-2022-34392

SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.

5.5

CVE-2022-31228

Dell EMC XtremIO versions prior to X2 6.4.0-22 contain a bruteforce vulnerability. A remote unauthenticated attacker can potentially exploit this vulnerability and gain access to an admin account.

8.1

Third-Party Component

CVE(s)

More Information

SUSE SLES 15-SP3

CVE-2019-19536,CVE-2019-19534, CVE-2019-14901,CVE-2019-15916 CVE-2019-18809,CVE-2019-0154, CVE-2019-18805,CVE-2019-19081, CVE-2019-19080,CVE-2019-19083,CVE-2019-19060,CVE-2019-19082,CVE-2019-19067,CVE-2019-16231,CVE-2019-19046,CVE-2019-19068,CVE-2019-19063,CVE-2019-19062,CVE-2019-19065,CVE-2019-19525,CVE-2019-19528,CVE-2019-19049,CVE-2019-19543,CVE-2019-14895,CVE-2019-19227,CVE-2019-19524,CVE-2019-19529,CVE-2019-18660,CVE-2019-19056,CVE-2019-19078,CVE-2019-19077,CVE-2019-17055,CVE-2019-19058,CVE-2019-19531,CVE-2019-18683,CVE-2019-19057,CVE-2019-19530,CVE-2019-19052,CVE-2019-19074,CVE-2019-19073,CVE-2019-19075,CVE-2021-20233,CVE-2020-27779,CVE-2020-25632,CVE-2020-14372,CVE-2020-25647,CVE-2020-27749,CVE-2021-20225,CVE-2019-25013,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326,CVE-2020-27618,CVE-2021-3144, CVE-2021-25281,CVE-2020-35662,CVE-2021-3197,CVE-2020-28972,CVE-2021-25283,CVE-2021-25282,CVE-2021-3148,CVE-2021-25284,CVE-2020-28243,CVE-2019-18348,CVE-2020-8492,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2019-20907,CVE-2019-16935,CVE-2020-27619,CVE-2021-4034, CVE-2020-7217,CVE-2019-18903, CVE-2020-8231,CVE-2019-8696,CVE-2019-8675,CVE-2019-18218,CVE-2020-10543,CVE-2020-12723,CVE-2020-10878,CVE-2020-11652,CVE-2020-11651,CVE-2020-8023,CVE-2017-8871,CVE-2017-8834,CVE-2019-20812,CVE-2019-9455,CVE-2020-10711,CVE-2020-12659,CVE-2020-12769,CVE-2020-12768,CVE-2020-10720,CVE-2020-12657,CVE-2020-10732,CVE-2020-12656,CVE-2020-10757,CVE-2020-12464,CVE-2020-10690,CVE-2018-1000199,CVE-2020-10751,CVE-2020-12655,CVE-2020-13143,CVE-2020-12654,CVE-2020-0543,CVE-2020-12114,CVE-2020-12653,CVE-2020-12652,CVE-2019-19462,CVE-2019-20806,CVE-2018-18751,CVE-2020-14314,CVE-2020-10135,CVE-2020-14331,CVE-2020-14386,CVE-2020-14356,CVE-2020-16166,CVE-2020-24394,CVE-2020-1749,CVE-2020-14310,CVE-2020-14311,CVE-2020-15707,CVE-2020-10713,CVE-2020-14308,CVE-2020-15706,CVE-2020-14309,CVE-2019-18897,CVE-2019-17361,CVE-2019-9674,CVE-2020-8492,CVE-2019-20810,CVE-2020-10766,CVE-2020-10767,CVE-2020-12888,CVE-2019-16746,CVE-2020-14416,CVE-2020-10768,CVE-2020-10769,CVE-2020-10781,CVE-2020-12771,CVE-2020-0305,CVE-2020-13974,CVE-2020-10773,CVE-2019-20908,CVE-2020-15780,CVE-2020-15393,CVE-2020-7216,CVE-2019-18902,CVE-2020-3898,CVE-2020-8177,CVE-2019-12900,CVE-2016-3189,CVE-2021-39537,CVE-2021-33503,CVE-2021-3695,CVE-2021-3696,CVE-2021-3697,CVE-2021-3981,CVE-2022-28733,CVE-2022-28734,CVE-2022-28735,CVE-2022-28736,CVE-2022-28737,CVE-2019-10160,CVE-2018-20852,CVE-2011-3389,CVE-2019-9947,CVE-2016-0772,CVE-2012-0845,CVE-2013-4238,CVE-2018-14647,CVE-2014-4650,CVE-2018-1000802,CVE-2012-1150,CVE-2019-16056,CVE-2011-4944,CVE-2019-5010,CVE-2018-20406,CVE-2019-15903,CVE-2019-9636,CVE-2018-1061,CVE-2018-1060,CVE-2014-2667,CVE-2019-16935,CVE-2016-1000110,CVE-2013-1752,CVE-2016-5699,CVE-2016-5636,CVE-2017-18207,CVE-2019-15213,CVE-2019-19537,CVE-2019-19338,CVE-2019-19319,CVE-2020-7053,CVE-2019-19318,CVE-2019-19533,CVE-2019-19532,CVE-2019-19535,CVE-2019-18808,CVE-2020-8648,CVE-2019-16746,CVE-2020-8428,CVE-2019-19045,CVE-2019-19066,CVE-2019-19526,CVE-2019-19966,CVE-2020-8992,CVE-2019-19767,CVE-2019-19965,CVE-2019-19527,CVE-2019-14897,CVE-2019-14896,CVE-2019-19447,CVE-2019-16994,CVE-2019-19523,CVE-2019-14615,CVE-2019-20054,CVE-2019-20096,CVE-2019-20095,CVE-2019-19927,CVE-2020-2732,CVE-2019-19036,CVE-2019-19332,CVE-2019-19051,CVE-2019-19054,CVE-2020-25212,CVE-2020-25641,CVE-2020-0404,CVE-2020-0427,CVE-2019-25643,CVE-2020-0431,CVE-2020-0432,CVE-2020-25643,CVE-2020-14390,CVE-2020-26088,CVE-2020-25284,CVE-2020-14381

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Dell iDRAC9 FW

CVE-2020-26198
CVE-2018-15774,CVE-2018-15776
CVE-2021-21581,CVE-2021-21580,CVE-2021-21579,CVE-2021-21578,CVE-2021-21577,CVE-2021-21576
CVE-2021-36301,CVE-2021-20235,CVE-2021-36299,CVE-2021-3630
CVE-2021-3712,CVE-2021-36348,CVE-2021-36347
CVE-2022-24422
CVE-2021-21539,CVE-2021-21541,CVE-2021-21542,CVE-2021-21543
CVE-2020-26198

Article Number: 000177031

DSA-2021-133

DSA-2021-177

DSA-2021-259

DSA-2022-068

DSA-2021-073

DSA-2020-268

Dell BIOS FW

CVE-2020-0587,CVE-2020-0588,CVE-2020-0590,CVE-2020-0591,CVE-2020-0592,CVE-2020-0593

CVE-2020-8705,CVE-2020-8755

CVE-2020-8696

CVE-2020-8695,CVE-2020-8694

CVE-2020-8674,CVE-2020-8738,CVE-2020-8739,CVE-2020-8740

CVE-2020-8673

CVE-2021-0060

CVE-2021-0127

CVE-2021-0103,CVE-2021-0114,CVE-2021-0115,CVE-2021-0116,CVE-2021-0117,CVE-2021-0118,CVE-2021-0099,CVE-2021-0111,CVE-2021-0107,CVE-2021-0125,CVE-2021-0124,CVE-2021-0092,CVE-2021-0093

CVE-2020-12358,CVE-2020-12360, CVE-2020-24486,CVE-2021-0095,CVE-2020-12359,CVE-2020-8670,CVE-2020-12357

CVE-2020-24511,CVE-2020-24512

CVE-2020-24506,CVE-2020-24507, CVE-2020-8703
CVE-2019-14553

INTEL-SA-00358


INTEL-SA-00391

INTEL-SA-00381

INTEL-SA-00389

INTEL-SA-00390




Intel-SA-00470
Intel-SA-00532

Intel-SA-00527




Intel-SA-00463


Intel-SA-00464


Intel-SA-00459



Dell NIC FW

CVE-2019-0139,CVE-2019-0140,CVE-2019-0142,CVE-2019-0143,CVE-2019-0144,CVE-2019-0145,CVE-2019-0146,CVE-2019-0147,CVE-2019-0148,CVE-2019-0149,CVE-2019-0150

CVE-2021-0200,CVE-2021-0197,CVE-2021-0198,CVE-2021-0199

CVE-2021-33058,CVE-2021-33061,CVE-2021-33059

Intel-SA-00255


Intel-SA-00554

Intel-SA-00555

  1. Affected Products and Remediation:

CVEs Addressed

Product

Affected Versions

Updated Versions

Link to Update

CVE-2022-34384

Dell SupportAssist for Home PCs

Version 3.11.2 and earlier

3.12.2

SupportAssist for Home PCs:
There are 2 ways in which the customer can get the latest component which has the fix.
1. Manual steps: (Recommended)
a. Launch SupportAssist UI
b. Go to the About Page of SupportAssist UI
c. Click on “Check for Latest Updates”

2. If Auto-update settings are enabled on the Settings page, then SupportAssist for Home PCs will automatically get upgraded to the latest available version which has the fix.

  • Auto-update setting can be verified by going to Settings Page, Privacy option.

Links:
SupportAssist for Home PCs
Release Notes and User Guide


SupportAssist for Business PCs:
TechDirect Link for Admins
Release Notes and User Guide

Dell SupportAssist for Business PCs

Version 3.2.0 and earlier

3.3.0

CVE-2022-34385

Dell SupportAssist for Home PCs

Version 3.11.4 and earlier

3.12.2

Dell SupportAssist for Business PCs

Version 3.2.0 and earlier

3.3.0

CVE-2022-34386

Dell SupportAssist for Home PCs

Version 3.11.4 and earlier

3.12.2

Dell SupportAssist for Business PCs

Version 3.2.0 and earlier

3.3.0

CVE-2022-34387

Dell SupportAssist for Home PCs

Version 3.11.4 and earlier

3.12.2

Dell SupportAssist for Business PCs

Version 3.2.0 and earlier

3.3.0

CVE-2022-34388

Dell SupportAssist for Home PCs

Version 3.11.4 and earlier

3.12.2

Dell SupportAssist for Business PCs

Version 3.2.0 and earlier

3.3.0

CVE-2022-34366

Dell SupportAssist for Home PCs

Version 3.11.4 and earlier

3.12.2

CVE-2022-34389

Dell SupportAssist for Home PCs

Version 3.11.2 and earlier

3.12.2

Dell SupportAssist for Business PCs

Version 3.2.0 and earlier

3.3.0

CVE-2022-34392

Dell SupportAssist for Home PCs

Version 3.11.4 and earlier

3.12.2

CVE-2022-31228

XtremIO X1, XtremIO X2

XMS versions prior to6.4.0-22

XMS 6.4.0-22

Dell EMCrecommends all

customers upgrade at the earliest opportunity.

https://www.dell.com/

support/home/en-us/product-support/product/xtremio-x2/drivers

Product

Affected Version(s)

Updated Version(s)

Link to Update

Dell EMC VPLEX VS2-Server-PE

Versions before:
BIOS 2.9.1
iDRAC 5.10.30.00

Procedure:
VS2 R240 Firmware Block Upgrade

Release Notes/Links:
VS2 Server PE Firmware Release Notes June 2022

https://solve.dell.com/solve/home/46

CVE-2022-31228

XtremIO X1, XtremIO X2

XMS versions prior to6.4.0-22

XMS 6.4.0-22

Dell EMCrecommends all customers

upgrade at the earliest opportunity.

https://www.dell.com/support/home

/en-us/product-support/product/xtremio-x2/drivers

Dell recommends all customers upgrade at the earliest opportunity.

References:

https://www.dell.com/support/security/en-us