Dell released a security update to address a vulnerability, tracked as CVE-2020-5316, in its
Dell SupportAssist software is described as a tool that proactively checks the health of system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting.
To solve the problems Dell SupportAssist interacts with the Dell Support website and automatically detect Service Tag or Express Service Code of Dell product.
The utility performs hardware diagnostic tests and analyzes the hardware configuration of the system, including installed device drivers, and is able to install missing or available driver updates.
The software leverages a local web service that is protected using the “Access-Control-Allow-Origin” response header and implementing restrictions to accept commands only from the “dell.com” website or its subdomains,
“A locally authenticated low privileged user could exploit this vulnerability to cause the loading of arbitrary DLLs by the
The issue is an uncontrolled search path vulnerability that was reported by the security expert Eran Shimony from
The vulnerability affects the following Dell versions:
• Dell for business PCs version 2.1.3 or earlier
• Dell for home PCs version 3.4 or earlier.
Dell addresses the issue with the release of Dell
All versions of SupportAssist will automatically install the latest released versions if automatic upgrades are enabled, otherwise the steps for a manual update of the client for home PCs are:
In May 2019, the security researcher Bill Demirkapi discovered a critical remote code execution vulnerability (CVE-2019-3719) in the Dell SupportAssist utility that could be exploited by hackers to compromise systems remotely.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Dell)