Very High
CVE-2019-3719
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(2 users assessed)
High
(2 users assessed)Unknown
Unknown
Unknown
CVE-2019-3719
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Dell support agent fails to properly identify the origin of updates. By DNS spoofing and crafted payloads, an attacker can serve up an executable file that the support agent will run as system.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
As exploits go, being able to serve payloads to all Dell computers in a subnet us a pretty useful tool. It would require DNS hijacking and other noisy things, but not everyone is checking networks for those attacks, and if they are, they might be doing it on a Dell.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
While the author specifically lists ARP spoofing and DNS hijacking as necessary, I suspect ARP spoofing is not a needed step and DNS cache poisoning may also work to turn this into a remote, site-wide attack.
Perhaps more interesting is that it’s unstated (in both the blog post and the Dell advisory) whether this software supports auto-update, and it seems like Dell would have mentioned it if it did. Instead, Dell points to a manual EXE-based installer. The software only runs on Dell and AlienWare hardware, so I wasn’t able (or willing to be persistent enough) to get it to run in a VM.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
