Details of VAR-202101-1141

ID

VAR-202101-1141

CVE

CVE-2020-5361

TITLE

Dell BIOS Vulnerability in password management function

Trust: 0.8

sources: JVNDB: JVNDB-2020-015521

DESCRIPTION

Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication. Dell BIOS Contains a vulnerability in the password management function.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Dell Client Commercial and Dell Consumer are a series of workstation equipment from Dell in the United States

Trust: 1.71

sources: NVD: CVE-2020-5361 // JVNDB: JVNDB-2020-015521 // VULHUB: VHN-183486

AFFECTED PRODUCTS

vendor:	dell	model:	cpg bios	scope:	eq	version:	*	Trust: 1.0
vendor:	デル	model:	bios	scope:	-	version:	-	Trust: 0.8
vendor:	デル	model:	bios	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-015521 // NVD: CVE-2020-5361

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5361
value:	HIGH
Trust: 1.0
security_alert@emc.com:	CVE-2020-5361
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-5361
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202101-103
value:	HIGH
Trust: 0.6
VULHUB:	VHN-183486
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-5361
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-183486
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-5361
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	6.0
version:	3.1
Trust: 1.0
security_alert@emc.com:	CVE-2020-5361
baseSeverity:	MEDIUM
baseScore:	5.1
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	0.9
impactScore:	3.7
version:	3.1
Trust: 1.0
NVD:	CVE-2020-5361
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-183486 // JVNDB: JVNDB-2020-015521 // CNNVD: CNNVD-202101-103 // NVD: CVE-2020-5361 // NVD: CVE-2020-5361

PROBLEMTYPE DATA

problemtype:	CWE-640	Trust: 1.1
problemtype:	Weak password recovery mechanism when you forget your password (CWE-640) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-183486 // JVNDB: JVNDB-2020-015521 // NVD: CVE-2020-5361

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202101-103

PATCH

title:	DSA-2020-119	url:	https://www.dell.com/support/kbdoc/ja-jp/000180741/dsa-2020-119-dell-client-products-unauthorized-bios-password-reset-tool-vulnerability	Trust: 0.8
title:	Dell Client Commercial and Consumer Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=138357	Trust: 0.6

sources: JVNDB: JVNDB-2020-015521 // CNNVD: CNNVD-202101-103

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5361	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-015521	Trust: 0.8
db:	CNNVD	id:	CNNVD-202101-103	Trust: 0.7
db:	VULHUB	id:	VHN-183486	Trust: 0.1

sources: VULHUB: VHN-183486 // JVNDB: JVNDB-2020-015521 // CNNVD: CNNVD-202101-103 // NVD: CVE-2020-5361

REFERENCES

url:	https://www.dell.com/support/kbdoc/en-us/000180741/dsa-2020-119-dell-client-products-unauthorized-bios-password-reset-tool-vulnerability	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5361	Trust: 1.4

sources: VULHUB: VHN-183486 // JVNDB: JVNDB-2020-015521 // CNNVD: CNNVD-202101-103 // NVD: CVE-2020-5361

SOURCES

db:	VULHUB	id:	VHN-183486
db:	JVNDB	id:	JVNDB-2020-015521
db:	CNNVD	id:	CNNVD-202101-103
db:	NVD	id:	CVE-2020-5361

LAST UPDATE DATE

2024-11-23T23:01:09.935000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-183486	date:	2021-01-29T00:00:00
db:	JVNDB	id:	JVNDB-2020-015521	date:	2021-09-30T08:58:00
db:	CNNVD	id:	CNNVD-202101-103	date:	2021-02-01T00:00:00
db:	NVD	id:	CVE-2020-5361	date:	2024-11-21T05:33:58.990

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-183486	date:	2021-01-04T00:00:00
db:	JVNDB	id:	JVNDB-2020-015521	date:	2021-09-30T00:00:00
db:	CNNVD	id:	CNNVD-202101-103	date:	2021-01-04T00:00:00
db:	NVD	id:	CVE-2020-5361	date:	2021-01-04T22:15:13.950