Details of VAR-201904-0307

ID

VAR-201904-0307

CVE

CVE-2019-3719

TITLE

Dell SupportAssist Client Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003797

DESCRIPTION

Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites. Dell SupportAssist Client Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Dell SupportAssist Client is prone to the following security vulnerabilities: 1. A cross-site request forgery vulnerability 2. A remote code-injection vulnerability An attacker may leverage these issues to perform certain unauthorized actions and gain access to the affected application or execute arbitrary code. This may aid in further attacks. The program provides automated, proactive and predictive techniques for troubleshooting and more. The vulnerability stems from the failure of the network system or product to properly validate the input data

Trust: 2.07

sources: NVD: CVE-2019-3719 // JVNDB: JVNDB-2019-003797 // BID: 108020 // VULHUB: VHN-155154 // VULMON: CVE-2019-3719

AFFECTED PRODUCTS

vendor:	dell	model:	supportassist	scope:	lt	version:	3.2.0.90	Trust: 1.0
vendor:	dell	model:	supportassist	scope:	lt	version:	client 3.2.0.90	Trust: 0.8
vendor:	dell	model:	supportassist	scope:	eq	version:	3.1.0.142	Trust: 0.3
vendor:	dell	model:	supportassist	scope:	eq	version:	3.0.2.48	Trust: 0.3
vendor:	dell	model:	supportassist	scope:	ne	version:	3.2.1.94	Trust: 0.3
vendor:	dell	model:	supportassist	scope:	ne	version:	3.2.0.90	Trust: 0.3

sources: BID: 108020 // JVNDB: JVNDB-2019-003797 // NVD: CVE-2019-3719

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-3719
value:	HIGH
Trust: 1.0
security_alert@emc.com:	CVE-2019-3719
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-3719
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201904-909
value:	HIGH
Trust: 0.6
VULHUB:	VHN-155154
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-3719
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-3719
severity:	HIGH
baseScore:	7.9
vectorString:	AV:A/AC:M/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-155154
severity:	HIGH
baseScore:	7.9
vectorString:	AV:A/AC:M/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-3719
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
security_alert@emc.com:	CVE-2019-3719
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2019-3719
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-155154 // VULMON: CVE-2019-3719 // JVNDB: JVNDB-2019-003797 // CNNVD: CNNVD-201904-909 // NVD: CVE-2019-3719 // NVD: CVE-2019-3719

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-20	Trust: 0.9

sources: VULHUB: VHN-155154 // JVNDB: JVNDB-2019-003797 // NVD: CVE-2019-3719

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201904-909

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201904-909

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003797

PATCH

title:	DSA-2019-051	url:	https://www.dell.com/support/article/us/en/19/sln316857/dsa-2019-051-dell-supportassist-client-multiple-vulnerabilities?lang=en	Trust: 0.8
title:	Dell SupportAssist Client Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91740	Trust: 0.6
title:	The Register	url:	https://www.theregister.co.uk/2020/02/11/dell_supportassist_flaw/	Trust: 0.2
title:	CVE-2019-3719	url:	https://github.com/jiansiting/CVE-2010-3719	Trust: 0.1
title:	Dell-Support-Assist-RCE-PoC	url:	https://github.com/D4stiny/Dell-Support-Assist-RCE-PoC	Trust: 0.1
title:	PoC	url:	https://github.com/Jonathan-Elias/PoC	Trust: 0.1
title:	CVE-POC	url:	https://github.com/0xT11/CVE-POC	Trust: 0.1
title:	PoC-in-GitHub	url:	https://github.com/developer3000S/PoC-in-GitHub	Trust: 0.1
title:	PoC-in-GitHub	url:	https://github.com/nomi-sec/PoC-in-GitHub	Trust: 0.1
title:	PoC-in-GitHub	url:	https://github.com/hectorgie/PoC-in-GitHub	Trust: 0.1

sources: VULMON: CVE-2019-3719 // JVNDB: JVNDB-2019-003797 // CNNVD: CNNVD-201904-909

EXTERNAL IDS

db:	NVD	id:	CVE-2019-3719	Trust: 2.9
db:	BID	id:	108020	Trust: 1.0
db:	JVNDB	id:	JVNDB-2019-003797	Trust: 0.8
db:	CNNVD	id:	CNNVD-201904-909	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.1522	Trust: 0.6
db:	VULHUB	id:	VHN-155154	Trust: 0.1
db:	VULMON	id:	CVE-2019-3719	Trust: 0.1

sources: VULHUB: VHN-155154 // VULMON: CVE-2019-3719 // BID: 108020 // JVNDB: JVNDB-2019-003797 // CNNVD: CNNVD-201904-909 // NVD: CVE-2019-3719

REFERENCES

url:	https://www.dell.com/support/article/us/en/19/sln316857/dsa-2019-051-dell-supportassist-client-multiple-vulnerabilities?lang=en	Trust: 2.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-3719	Trust: 1.4
url:	http://www.securityfocus.com/bid/108020	Trust: 1.3
url:	http://dell.com	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3719	Trust: 0.8
url:	https://www.dell.com/support/article/au/en/audhs1/sln316857/dsa-2019-051-dell-supportassist-client-multiple-vulnerabilities	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/80126	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/jiansiting/cve-2010-3719	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/nomi-sec/poc-in-github	Trust: 0.1

sources: VULHUB: VHN-155154 // VULMON: CVE-2019-3719 // BID: 108020 // JVNDB: JVNDB-2019-003797 // CNNVD: CNNVD-201904-909 // NVD: CVE-2019-3719

CREDITS

John C. Hennessy-ReCar and Bill Demirkapi.

Trust: 0.9

sources: BID: 108020 // CNNVD: CNNVD-201904-909

SOURCES

db:	VULHUB	id:	VHN-155154
db:	VULMON	id:	CVE-2019-3719
db:	BID	id:	108020
db:	JVNDB	id:	JVNDB-2019-003797
db:	CNNVD	id:	CNNVD-201904-909
db:	NVD	id:	CVE-2019-3719

LAST UPDATE DATE

2024-11-23T22:55:37.870000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-155154	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2019-3719	date:	2021-07-21T00:00:00
db:	BID	id:	108020	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-003797	date:	2019-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201904-909	date:	2022-01-04T00:00:00
db:	NVD	id:	CVE-2019-3719	date:	2024-11-21T04:42:23.933

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-155154	date:	2019-04-18T00:00:00
db:	VULMON	id:	CVE-2019-3719	date:	2019-04-18T00:00:00
db:	BID	id:	108020	date:	2019-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-003797	date:	2019-05-22T00:00:00
db:	CNNVD	id:	CNNVD-201904-909	date:	2019-04-18T00:00:00
db:	NVD	id:	CVE-2019-3719	date:	2019-04-18T20:29:01.143