Dell Command Update versions prior to 3.1 Improper Link Resolution Before File Access (‘Link Following’) Vulnerability

Summary

Dell Command Update versions prior to 3.1 contain an Arbitrary File Deletion Vulnerability.

Credit:

The information has been provided by  Eran Shimony 

The original article can be found at:https://www.dell.com/support/article/SLN319697


Details

A local authenticated malicious user with low privileges potentially could exploit this vulnerability to delete arbitrary files by creating a symlink from the “Temp\ICProgress\Dell_InventoryCollector_Progress.xml” to any targeted file. This issue occurs because permissions on the Temp directory were set incorrectly.

 

Vulnerable Systems:

Dell Command Update versions prior to 3.1

 

CVE Information:

CVE-2019-3749

 

Disclosure Timeline:
Published Date:12/3/2019

Categories: FeaturedNews