Details of VAR-202109-1535

ID

VAR-202109-1535

CVE

CVE-2021-36297

TITLE

SupportAssist Client Code problem vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202109-1867

DESCRIPTION

SupportAssist Client version 3.8 and 3.9 contains an Untrusted search path vulnerability that allows attackers to load an arbitrary .dll file via .dll planting/hijacking, only by a separate administrative action that is not a default part of the SOSInstallerTool.exe installation for executing arbitrary dll's,. DELL Dell SupportAssist Client is a client application of Dell (DELL). The program provides automated, proactive and predictive techniques for troubleshooting and more. There is a code problem vulnerability in SupportAssist Client, which is caused by the management operation in the product arbitrarily loading dll files when loading files. An attacker could exploit this vulnerability to execute arbitrary files. The following products and versions are affected: SupportAssist Client versions 3.8 and 3.9

Trust: 1.08

sources: NVD: CVE-2021-36297 // VULHUB: VHN-397578 // VULMON: CVE-2021-36297

AFFECTED PRODUCTS

vendor:

dell

model:

supportassist for home pcs

scope:

version:

3.9.0

Trust: 1.0

sources: NVD: CVE-2021-36297

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-36297
value:	HIGH
Trust: 1.0
security_alert@emc.com:	CVE-2021-36297
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202109-1867
value:	HIGH
Trust: 0.6
VULHUB:	VHN-397578
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-36297
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-36297
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-397578
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-36297
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
security_alert@emc.com:	CVE-2021-36297
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-397578 // VULMON: CVE-2021-36297 // CNNVD: CNNVD-202109-1867 // NVD: CVE-2021-36297 // NVD: CVE-2021-36297

PROBLEMTYPE DATA

problemtype:

CWE-426

Trust: 1.1

sources: VULHUB: VHN-397578 // NVD: CVE-2021-36297

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202109-1867

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202109-1867

PATCH

title:

SupportAssist Client Fixes for code issue vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164866

Trust: 0.6

sources: CNNVD: CNNVD-202109-1867

EXTERNAL IDS

db:	NVD	id:	CVE-2021-36297	Trust: 1.8
db:	CNNVD	id:	CNNVD-202109-1867	Trust: 0.7
db:	CNVD	id:	CNVD-2022-83202	Trust: 0.1
db:	VULHUB	id:	VHN-397578	Trust: 0.1
db:	VULMON	id:	CVE-2021-36297	Trust: 0.1

sources: VULHUB: VHN-397578 // VULMON: CVE-2021-36297 // CNNVD: CNNVD-202109-1867 // NVD: CVE-2021-36297

REFERENCES

url:	https://www.dell.com/support/kbdoc/en-us/000191057/dsa-2021-163-dell-supportassist-client-consumer-security-update-for-two-vulnerabilities	Trust: 1.8
url:	https://cwe.mitre.org/data/definitions/426.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-397578 // VULMON: CVE-2021-36297 // CNNVD: CNNVD-202109-1867 // NVD: CVE-2021-36297

SOURCES

db:	VULHUB	id:	VHN-397578
db:	VULMON	id:	CVE-2021-36297
db:	CNNVD	id:	CNNVD-202109-1867
db:	NVD	id:	CVE-2021-36297

LAST UPDATE DATE

2024-08-14T14:18:21.873000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-397578	date:	2021-10-07T00:00:00
db:	VULMON	id:	CVE-2021-36297	date:	2021-10-07T00:00:00
db:	CNNVD	id:	CNNVD-202109-1867	date:	2021-10-08T00:00:00
db:	NVD	id:	CVE-2021-36297	date:	2021-10-07T12:56:21.137

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-397578	date:	2021-09-28T00:00:00
db:	VULMON	id:	CVE-2021-36297	date:	2021-09-28T00:00:00
db:	CNNVD	id:	CNNVD-202109-1867	date:	2021-09-28T00:00:00
db:	NVD	id:	CVE-2021-36297	date:	2021-09-28T20:15:07.780