CVE-2020-5362 — Improper Authorization in Dell Chengming 3967 Firmware

CWE-285 — Improper Authorization CWE-862 — Missing Authorization3 documents3 sources

Severity

4.4MEDIUMNVD

CNA7.1

EPSS

0.1%

top 84.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

354

Dell Chengming 3967 Firmware Dell Chengming 3977 Firmware Dell Chengming 3980 Firmware +351 more

Timeline

PublishedJun 10

Latest updateMay 24

Description

Dell Client Consumer and Commercial platforms include an improper authorization vulnerability in the Dell Manageability interface for which an unauthorized actor, with local system access with OS administrator privileges, could bypass the BIOS Administrator authentication to restore BIOS Setup configuration to default values.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages354 packages

▶CVEListV5dell/dell_client_consumer_and_commercial_platformshttps://www.dell.com/support/article/SLN321726

▶NVDdell/wyse_5070_thin_client_firmware< 1.7.0

▶NVDdell/wyse_7040_thin_client_firmware< 1.9.0

▶NVDdell/latitude_3460_mobile_thin_client_firmware< a19

▶NVDdell/latitude_3480_mobile_thin_client_firmware< 1.14.0

🔴Vulnerability Details

GHSA

GHSA-xgch-xjh8-4m78: Dell Client Consumer and Commercial platforms include an improper authorization vulnerability in the Dell Manageability interface for which an unautho↗2022-05-24

▶

CVEList

CVE-2020-5362: Dell Client Consumer and Commercial platforms include an improper authorization vulnerability in the Dell Manageability interface for which an unautho↗2020-06-10

▶