CVE-2020-5363 — Improper Neutralization of Null Byte or NUL Character in Dell Latitude 5300 2-in-1 Firmware

CWE-158 — Improper Neutralization of Null Byte or NUL Character3 documents3 sources

Severity

6.7MEDIUMNVD

CNA8.6

EPSS

0.0%

top 85.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dell Latitude 5300 2-in-1 Firmware Dell Latitude 5300 Firmware Dell Latitude 5400 Firmware +16 more

Timeline

PublishedJun 10

Latest updateMay 24

Description

Select Dell Client Consumer and Commercial platforms include an issue that allows the BIOS Admin password to be changed through Dell's manageability interface without knowledge of the current BIOS Admin password. This could potentially allow an unauthorized actor, with physical access and/or OS administrator privileges to the device, to gain privileged access to the platform and the hard drive.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages19 packages

▶CVEListV5dell/dell_client_consumer_and_commercial_platformshttps://www.dell.com/support/article/SLN321604

▶NVDdell/xps_7590_firmware< 1.7.0

▶NVDdell/xps_13_9300_firmware< 1.0.11

▶NVDdell/latitude_5300_firmware< 1.9.4

▶NVDdell/latitude_5400_firmware< 1.7.4

🔴Vulnerability Details

GHSA

GHSA-q6xh-6r5c-j5mc: Select Dell Client Consumer and Commercial platforms include an issue that allows the BIOS Admin password to be changed through Dell's manageability i↗2022-05-24

▶

CVEList

CVE-2020-5363: Select Dell Client Consumer and Commercial platforms include an issue that allows the BIOS Admin password to be changed through Dell's manageability i↗2020-06-10

▶