Security News > 2020 > February > Dell Patches SupportAssist Flaw That Allows Arbitrary Code Execution

Dell Patches SupportAssist Flaw That Allows Arbitrary Code Execution
2020-02-11 12:14

Dell has patched a high-severity flaw in its SupportAssist software that could allow an attacker to execute arbitrary code with administrator privileges on affected computers.

The flaw, an uncontrolled search path vulnerability that is being tracked as CVE-2020-5316, could allow a locally authenticated user with low privileges to "Cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code," Dell wrote in its explanation of the bug.

The vulnerability exists in Dell SupportAssist for business PCs version 2.1.3 or older and home PCs version 3.4 or older, according to Dell.

"All versions of SupportAssist automatically upgrade to the latest version available if automatic upgrades are enabled. Customers can check which version they are running and upgrade to a newer version of SupportAssist if available," Dell said.

According to Dell, SupportAssist comes preinstalled on most new Dell devices running Windows.


News URL

https://threatpost.com/dell-patches-supportassist-flaw-that-allows-arbitrary-code-execution/152771/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-22 CVE-2020-5316 Uncontrolled Search Path Element vulnerability in Dell products
Dell SupportAssist for Business PCs versions 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.1.2, 2.1.3 and Dell SupportAssist for Home PCs version 2.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, 3.2.1, 3.2.2, 3.3, 3.3.1, 3.3.2, 3.3.3, 3.4 contain an uncontrolled search path vulnerability.
local
low complexity
dell CWE-427
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Dell 1678 29 437 430 109 1005