Details of VAR-201308-0205

ID

VAR-201308-0205

CVE

CVE-2013-3582

TITLE

Dell BIOS in some Latitude laptops and Precision Mobile Workstations vulnerable to buffer overflow

Trust: 0.8

sources: CERT/CC: VU#912156

DESCRIPTION

Buffer overflow in Dell BIOS on Dell Latitude D###, E####, XT2, and Z600 devices, and Dell Precision M#### devices, allows local users to bypass intended BIOS signing requirements and install arbitrary BIOS images by leveraging administrative privileges and providing a crafted rbu_packet.pktNum value in conjunction with a crafted rbu_packet.pktSize value. Dell Multiple offers Latitude Laptop and Precision Mobile Workstation of BIOS A buffer overflow vulnerability exists in the update process. Dell Multiple offers Latitude Laptop and Precision Mobile Workstation Then BIOS In the update process, the update is performed after verifying the signature of the update image. This update process includes rbu_packet.pktNum and rbu_packet.pktSize A buffer overflow vulnerability exists due to the value of. By using this vulnerability, signature verification was avoided and crafted BIOS It becomes possible to update to.By having a specially crafted updater run, rootkit Or malicious code BIOS May be written. Attackers may leverage these issues to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions. Dell Latitude and Precision are a series of notebook computer products released by Dell in the United States. BIOS (Basic Input-Output System) is a set of programs solidified on the ROM chip on the computer motherboard. It stores the most important basic input and output programs of the computer, system setting information, and self-test programs after startup. and system self-starter

Trust: 2.7

sources: NVD: CVE-2013-3582 // CERT/CC: VU#912156 // JVNDB: JVNDB-2013-003762 // BID: 61792 // VULHUB: VHN-63584

AFFECTED PRODUCTS

vendor:	dell	model:	latitude d631	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	latitude e5400	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	latitude xt2	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	precision m2300	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	latitude d530	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	precision m6500	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	latitude z600	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	latitude d531	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	precision m6400	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	latitude d630	scope:	eq	version:	-	Trust: 1.6
vendor:	dell	model:	precision m6500	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	precision m6400	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	precision m6300	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	precision m4400	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	precision m4300	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	precision m2400	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	precision m2300	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude z600	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude e6500	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude e6400 atg	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude e6400	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude e5500	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude e5400	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude e4300	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude e4200	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude d830	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude d631	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude d630	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude d531	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude d530	scope:	-	version:	-	Trust: 1.1
vendor:	dell	model:	latitude d830	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	precision m6300	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	latitude e6400	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	precision m4300	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	latitude e6500	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	latitude e5500	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	precision m2400	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	latitude e4300	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	latitude e6400 atg xfr	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	latitude e4200	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	latitude e6400 atg	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	precision m4400	scope:	eq	version:	-	Trust: 1.0
vendor:	dell computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	latitude e6400 / atg / xfr	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	latitude xt2	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	latitude e6400 xfr	scope:	-	version:	-	Trust: 0.3
vendor:	dell	model:	bios	scope:	eq	version:	0	Trust: 0.3

sources: CERT/CC: VU#912156 // BID: 61792 // JVNDB: JVNDB-2013-003762 // CNNVD: CNNVD-201308-267 // NVD: CVE-2013-3582

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3582
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-3582
value:	MEDIUM
Trust: 0.8
NVD:	CVE-2013-3582
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201308-267
value:	HIGH
Trust: 0.6
VULHUB:	VHN-63584
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-3582
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
NVD:	CVE-2013-3582
severity:	MEDIUM
baseScore:	6.2
vectorString:	NONE
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	1.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-63584
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#912156 // VULHUB: VHN-63584 // JVNDB: JVNDB-2013-003762 // CNNVD: CNNVD-201308-267 // NVD: CVE-2013-3582

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 2.7

sources: CERT/CC: VU#912156 // VULHUB: VHN-63584 // JVNDB: JVNDB-2013-003762 // NVD: CVE-2013-3582

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201308-267

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201308-267

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003762

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#912156

PATCH

title:

Dell Support - Official Site:

url:

http://www.dell.com/support/home/us/en/19?c=us&l=en&s=dhs

Trust: 0.8

sources: JVNDB: JVNDB-2013-003762

EXTERNAL IDS

db:	CERT/CC	id:	VU#912156	Trust: 3.6
db:	NVD	id:	CVE-2013-3582	Trust: 2.8
db:	BID	id:	61792	Trust: 1.0
db:	JVN	id:	JVNVU95005184	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-003762	Trust: 0.8
db:	CNNVD	id:	CNNVD-201308-267	Trust: 0.7
db:	CERT/CC	id:	HTTP://WWW.KB.CERT.ORG/VULS/ID/BLUU-99HSLA	Trust: 0.6
db:	VULHUB	id:	VHN-63584	Trust: 0.1

sources: CERT/CC: VU#912156 // VULHUB: VHN-63584 // BID: 61792 // JVNDB: JVNDB-2013-003762 // CNNVD: CNNVD-201308-267 // NVD: CVE-2013-3582

REFERENCES

url:	https://www.blackhat.com/us-13/archives.html#butterworth	Trust: 2.8
url:	http://www.kb.cert.org/vuls/id/912156	Trust: 2.8
url:	http://www.kb.cert.org/vuls/id/bluu-99hsla	Trust: 2.5
url:	http://www.mitre.org/work/cybersecurity/blog/cyber_tools_butterworth.html	Trust: 1.9
url:	https://media.blackhat.com/us-13/us-13-butterworth-bios-security-slides.pdf	Trust: 1.7
url:	https://media.blackhat.com/us-13/us-13-butterworth-bios-security-wp.pdf	Trust: 1.7
url:	http://support.dell.com/	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3582	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu95005184/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3582	Trust: 0.8
url:	http://www.securityfocus.com/bid/61792	Trust: 0.6
url:	http://dell.com	Trust: 0.3

sources: CERT/CC: VU#912156 // VULHUB: VHN-63584 // BID: 61792 // JVNDB: JVNDB-2013-003762 // CNNVD: CNNVD-201308-267 // NVD: CVE-2013-3582

CREDITS

Corey Kallenberg, John Butterworth, Xeno Kovah of the MITRE Corporation and Rick Martinez from Dell.

Trust: 0.9

sources: BID: 61792 // CNNVD: CNNVD-201308-267

SOURCES

db:	CERT/CC	id:	VU#912156
db:	VULHUB	id:	VHN-63584
db:	BID	id:	61792
db:	JVNDB	id:	JVNDB-2013-003762
db:	CNNVD	id:	CNNVD-201308-267
db:	NVD	id:	CVE-2013-3582

LAST UPDATE DATE

2024-11-23T22:59:47.044000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#912156	date:	2013-08-22T00:00:00
db:	VULHUB	id:	VHN-63584	date:	2013-10-07T00:00:00
db:	BID	id:	61792	date:	2013-08-15T00:00:00
db:	JVNDB	id:	JVNDB-2013-003762	date:	2013-08-29T00:00:00
db:	CNNVD	id:	CNNVD-201308-267	date:	2013-08-29T00:00:00
db:	NVD	id:	CVE-2013-3582	date:	2024-11-21T01:53:55.670

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#912156	date:	2013-08-15T00:00:00
db:	VULHUB	id:	VHN-63584	date:	2013-08-28T00:00:00
db:	BID	id:	61792	date:	2013-08-15T00:00:00
db:	JVNDB	id:	JVNDB-2013-003762	date:	2013-08-19T00:00:00
db:	CNNVD	id:	CNNVD-201308-267	date:	2013-08-20T00:00:00
db:	NVD	id:	CVE-2013-3582	date:	2013-08-28T13:13:58.223