CVE-2022-33924

Vulnerability

An improper access control vulnerability exists in Dell Wyse Management Suite versions 3.6.1 and below. The flaw allows an attacker with no access to create rules to potentially exploit this vulnerability and create rules. The vulnerability is present in the rule creation functionality, where proper authorization checks are missing, enabling unauthorized rule creation.

Exploitation

An attacker needs low-privileged access to the Wyse Management Suite (e.g., via valid credentials with limited permissions). No special network position is required beyond being able to reach the management console. The attacker can exploit the missing access control to create rules by directly invoking the rule creation API or interface, bypassing intended authorization checks.

Impact

Successful exploitation allows the attacker to create arbitrary rules, which can then be scheduled for execution. This leads to an integrity impact (low) as per CVSS 3.1 base score 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). The attacker cannot read or modify data outside the rule creation scope, but can influence the behavior of the management suite by introducing unauthorized rules.

Mitigation

Dell has released a security update. Wyse Management Suite version 3.7 or later contains the fix. Customers should upgrade to version 3.7 or later as outlined in DSA-2022-134 [1]. No workarounds are documented.