CVE-2022-34394 Dell OS10.5.3.4 contains an Improper Certificate Validation vulnerability in Support Assist. An attacker could exploit this vulnerability to access switch configuration data.

The vulnerable component of Dell Support Assist is accessible via the web interface (port 443). While default port configuration of the web interface (443) is active and enabled on the system, the vulnerability can be exploited by remote attackers. The vulnerability is rated as critical due to the critical impact it could have on the entire infrastructure. Dell has released a patch to address this vulnerability. The vendor advisory can be accessed via the following link. https://www.dell.com/support/home/us/en/04/documents/software-update- advisory/Dell_OS_SA_2017-03_Vuln. The patch can be downloaded from the following link. https://www.dell.com/content/network/downloads.aspx?c=en&a=DhFz9XuaXvxEzgWkwBQ2hJ&l=en&d=protector&cid=DhFz9XuaXvxEzgWkwBQ2hJ&lm=en&a=DhFz9XuaXvXEzgWkwBQ2hJ&c=DhFz9XuaXvXEzgWkwBQ2hJ&l=en&d=en&cid=DhFz9XuaXvXEzgWkwBQ2hJ&l

Dell Support Assist is vulnerable to SQL injection

PCI, or Payment Card Industry, security standard requires that merchants be able to detect and block unauthorized transactions. The PCI Data Security Standard (DSS) is a set of rules, which can be applied to prevent fraud on all types of payment systems such as credit cards and more recently 3D secure. The standard covers such areas as installing and maintaining secure products, monitoring security events and detecting threats.
The PCI DSS has been repeatedly updated every few years since its inception in 2006. One of the latest changes includes the addition of a requirement that merchants must have an annual DSS compliance scan by an external third party. If a merchant does not have this scanned for their business, they are required to report it to their card company and may face fines or sanctions.
While the Dell Support Assist web interface is not designed for interaction with card data, it does allow users to submit credit card information over an HTTP connection without any authentication. This means that the vulnerability could potentially affect other services that rely on this service such as ecommerce websites using Stripe or Braintree APIs for credit card processing.
In order to address this issue, Dell has released a patch for Dell Support Assist version 4.20 that addresses the vulnerability. It's important to note that if you're still running older versions of Dell Support Assist, you need to upgrade your software immediately before customers can no longer complete transactions through the vulnerable component of your infrastructure.

Timeline

Published on: 09/28/2022 21:15:00 UTC
Last modified on: 09/30/2022 17:20:00 UTC

References

• https://www.dell.com/support/kbdoc/en-us/000202974/dsa-2022-293-dell-networking-os10-security-update-for-a-support-assist-vulnerability
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34394