Security News > 2020 > February > Dell Patches SupportAssist Flaw That Allows Arbitrary Code Execution
Dell has patched a high-severity flaw in its SupportAssist software that could allow an attacker to execute arbitrary code with administrator privileges on affected computers.
The flaw, an uncontrolled search path vulnerability that is being tracked as CVE-2020-5316, could allow a locally authenticated user with low privileges to "Cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code," Dell wrote in its explanation of the bug.
The vulnerability exists in Dell SupportAssist for business PCs version 2.1.3 or older and home PCs version 3.4 or older, according to Dell.
"All versions of SupportAssist automatically upgrade to the latest version available if automatic upgrades are enabled. Customers can check which version they are running and upgrade to a newer version of SupportAssist if available," Dell said.
According to Dell, SupportAssist comes preinstalled on most new Dell devices running Windows.
News URL
https://threatpost.com/dell-patches-supportassist-flaw-that-allows-arbitrary-code-execution/152771/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-07-22 | CVE-2020-5316 | Uncontrolled Search Path Element vulnerability in Dell products Dell SupportAssist for Business PCs versions 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.1.2, 2.1.3 and Dell SupportAssist for Home PCs version 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, 3.2.1, 3.2.2, 3.3, 3.3.1, 3.3.2, 3.3.3, 3.4 contain an uncontrolled search path vulnerability. | 4.6 |