Security News > 2020 > December > Two Critical Flaws — CVSS Score 10 — Affect Dell Wyse Thin Client Devices
A team of researchers today unveiled two critical security vulnerabilities in Dell Wyse Thin clients that could have potentially allowed attackers to remotely execute malicious code and access arbitrary files on affected devices.
The flaws, which were uncovered by healthcare cybersecurity provider CyberMDX and reported to Dell in June 2020, affects all devices running ThinOS versions 8.6 and below.
The flaws also have a CVSS score of 10 out of 10, making them critical in severity.
Tracked as CVE-2020-29491 and CVE-2020-29492, the security shortcomings in Wyse's thin clients stem from the fact that the FTP sessions used to pull firmware updates and configurations from a local server are unprotected sans any authentication, thus making it possible for an attacker in the same network to read and alter their configurations.
Ini files holding the configuration for other thin client devices.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-04 | CVE-2020-29491 | Incorrect Default Permissions vulnerability in Dell Wyse Thinos 8.6 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. | 5.0 |
| 2021-01-04 | CVE-2020-29492 | Incorrect Default Permissions vulnerability in Dell Wyse Thinos 8.6 Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. | 6.4 |