CVE-2019-3726

Summary

CVE	CVE-2019-3726
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-09-24 16:15:00 UTC
Updated	2019-10-09 23:49:00 UTC
Description	An Uncontrolled Search Path Vulnerability is applicable to the following: Dell Update Package (DUP) Framework file versions prior to 19.1.0.413, and Framework file versions prior to 103.4.6.69 used in Dell EMC Servers. Dell Update Package (DUP) Framework file versions prior to 3.8.3.67 used in Dell Client Platforms. The vulnerability is limited to the DUP framework during the time window when a DUP is being executed by an administrator. During this time window, a locally authenticated low privilege malicious user potentially could exploit this vulnerability by tricking an administrator into running a trusted binary, causing it to load a malicious DLL and allowing the attacker to execute arbitrary code on the victim system. The vulnerability does not affect the actual binary payload that the DUP delivers.

Risk And Classification

Problem Types: CWE-427

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Dell	Client Platforms	-	All	All	All
Hardware	Dell	Client Platforms	-	All	All	All
Hardware	Dell	Emc Servers	-	All	All	All
Hardware	Dell	Emc Servers	-	All	All	All
Application	Dell	Update Package Framework	All	All	All	All
Application	Dell	Update Package Framework	All	All	All	All

References

Reference	Source	Link	Tags
DSA-2019-065: Dell Update Package (DUP) Framework Uncontrolled Search Path Vulnerability \| Dell US	CONFIRM	www.dell.com	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Dell would like to thank Pierre-Alexandre Braeken, Silas Cutler, and Eran Shimony for reporting this issue.

There are currently no legacy QID mappings associated with this CVE.