Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-5357

Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time window, a locally authenticated low-privileged malicious user could exploit this vulnerability by tricking an administrator into overwriting arbitrary files via a symlink attack. The vulnerability does not affect the actual binary payload that the update utility delivers.

Published

2020-05-28T20:15:12.037

Last Modified

2024-11-21T05:33:58.487

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.1 (HIGH)

CVSSv2 Vector

AV:L/AC:H/Au:N/C:N/I:P/A:P

Access Vector: LOCAL
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

1.9

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-427
Type: Primary
CWE-427

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	dell	dock_wd15_firmware	< 1.0.8	Yes
Hardware	dell	dock_wd15	-	No
Operating System	dell	dock_wd19_firmware	< 1.0.14	Yes
Hardware	dell	dock_wd19	-	No
Operating System	dell	thunderbolt_dock_tb16_firmware	< 1.0.4	Yes
Hardware	dell	thunderbolt_dock_tb16	-	No
Operating System	dell	precision_dual_usb-c_thunderbolt_dock_-_tb18dc_firmware	< 1.0.10	Yes
Hardware	dell	precision_dual_usb-c_thunderbolt_dock_-_tb18dc	-	No

References

https://www.dell.com/support/article/SLN321564 Vendor Advisory ([email protected])
https://www.dell.com/support/article/SLN321564 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)