保安警报 (A19-06-09): Dell SupportAssist 漏洞

描述:

Dell 发布了安全性更新以应对Dell SupportAssist 软件中 PC Doctor部件的一个漏洞。本机攻击者可以在PC Doctor部件中替换一个恶意实用程式库(utility library)，从而攻击这个漏洞。

受影响的系统:

• Dell SupportAssist (Business PC) 2.0版本
• Dell SupportAssist (Home PCs) 3.2.1及之前版本

影响:

成功利用这个漏洞可以在受影响的系统上导致本机权限提升及泄漏资讯。

建议:

Dell 发行了有关产品的新版本以应对以上问题。更新可透过产品本身的自动更新装置或下列网址更新其软件:

• Dell SupportAssist (Business PCs)
  https://downloads.dell.com/serviceability/Catalog/SupportAssistx64.msi
  https://downloads.dell.com/serviceability/Catalog/SupportAssistx86.msi
  
  
• Dell SupportAssist (Home PCs)
  https://downloads.dell.com/serviceability/catalog/SupportAssistInstaller.exe
  
  

受影响系统的用户应遵从产品供应商的建议，立即采取行动以降低风险。

进一步信息:

https://www.dell.com/support/article/hk/zh/hkdhs1/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability?lang=en
https://safebreach.com/Post/OEM-Software-Puts-Multiple-Laptops-At-Risk
https://www.us-cert.gov/ncas/current-activity/2019/06/21/Dell-Releases-Security-Advisory-Dell-SupportAssist
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12280