Detections
Analytics

Dell SupportAssist Multiple Vulnerabilities (DSA-2019-051)

high Nessus Plugin ID 137364

Language:

Synopsis

The remote Windows host contains a Dell SupportAssist that is affected by multiple vulnerabilities.

Description

The Dell SupportAssist Client versions prior to 3.2.0.90, installed on the remote Windows host reportedly is affected by multiple vulnerabilities :

 - An improper origin validation vulnerability exist in Dell SupportAssist Client versions prior to 3.2.0.90.
 An unauthenticated remote attacker could potentially exploit this vulnerability to attempt CSRF attacks on users of the impacted systems. (CVE-2019-3718).

Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability.


- A remote code execution vulnerability exist in Dell SupportAssist Client versions prior to 3.2.0.90.
 An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites. (CVE-2019-3719).

Solution

Upgrade to Dell SupportAssist Client version 3.2.0.90 and later.

See Also

http://www.nessus.org/u?28b34214

Plugin Details

Severity: High

ID: 137364

File Name: dell_support_assist_DSA-2019-051.nasl

Version: 1.3

Type: local

Agent: windows

Family: Windows

Published: 6/12/2020

Updated: 5/13/2022

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.9

Temporal Score: 5.8

Vector: CVSS2#AV:A/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-3719

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-3718

Vulnerability Information

CPE: cpe:/a:dell:supportassist

Required KB Items: installed_sw/Dell SupportAssist

Exploit Ease: No known exploits are available

Patch Publication Date: 4/18/2019

Vulnerability Publication Date: 4/18/2019

Reference Information

CVE: CVE-2019-3718, CVE-2019-3719

BID: 108020