CVE-2022-33928

Vulnerability

Dell Wyse Management Suite versions 3.6.1 and earlier contain a plain-text password storage vulnerability in the user interface [1]. The application stores certain user credentials in an unencrypted plain-text format within the UI layer, making them accessible to anyone with low-level access to the management interface [1]. This affects all versions up to and including 3.6.1.

Exploitation

An attacker with low privileges on the Wyse Management Suite can access the UI component where credentials are stored in plain text [1]. The attacker does not require any special authentication beyond their existing low-privileged session. By navigating to the relevant UI elements, the attacker can read the exposed credentials directly [1]. No user interaction or complex preparatory steps are necessary for this exploitation.

Impact

Successful exploitation leads to the disclosure of certain user credentials, including those of other users with potentially higher privileges [1]. The attacker can then use the compromised credentials to log in to the vulnerable application and gain the privileges of the compromised account [1]. This could allow the attacker to perform actions or access data that would otherwise be restricted.

Mitigation

Dell released a security update for Wyse Management Suite to address this vulnerability. According to the advisory, the fix is included in version 3.7 or later [1]. Users should upgrade to version 3.7 or the latest available version as soon as possible. No workarounds are mentioned in the available references. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.