Security News > 2020 > December > Two Critical Flaws — CVSS Score 10 — Affect Dell Wyse Thin Client Devices

Two Critical Flaws — CVSS Score 10 — Affect Dell Wyse Thin Client Devices
2020-12-24 20:51

A team of researchers today unveiled two critical security vulnerabilities in Dell Wyse Thin clients that could have potentially allowed attackers to remotely execute malicious code and access arbitrary files on affected devices.

The flaws, which were uncovered by healthcare cybersecurity provider CyberMDX and reported to Dell in June 2020, affects all devices running ThinOS versions 8.6 and below.

The flaws also have a CVSS score of 10 out of 10, making them critical in severity.

Tracked as CVE-2020-29491 and CVE-2020-29492, the security shortcomings in Wyse's thin clients stem from the fact that the FTP sessions used to pull firmware updates and configurations from a local server are unprotected sans any authentication, thus making it possible for an attacker in the same network to read and alter their configurations.

Ini files holding the configuration for other thin client devices.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/uk7cElFYsVM/two-critical-flaws-cvss-score-10-affect.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-01-04 CVE-2020-29491 Incorrect Default Permissions vulnerability in Dell Wyse Thinos 8.6
Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability.
network
low complexity
dell CWE-276
5.0
2021-01-04 CVE-2020-29492 Incorrect Default Permissions vulnerability in Dell Wyse Thinos 8.6
Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability.
network
low complexity
dell CWE-276
6.4

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Dell 1173 62 185 77 50 374