CVE-2022-34385

Vulnerability

SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a cryptographic weakness vulnerability [1]. The issue resides in the proprietary code components of these products, which handle sensitive data using insufficiently secure cryptographic mechanisms [1]. An authenticated non-admin user can potentially exploit this weakness to obtain sensitive information [1].

Exploitation

Exploitation requires an attacker to be an authenticated non-admin user on the local system [1]. The attacker must be able to execute code or perform actions within the context of the SupportAssist application [1]. The exact sequence of steps is not detailed in the available references, but the cryptographic weakness likely allows the attacker to decrypt or bypass protection of sensitive data stored or transmitted by the product [1].

Impact

Upon successful exploitation, an attacker can obtain sensitive information, leading to a confidentiality impact of High [1]. The CVSS vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates no impact on integrity or availability [1]. The attacker gains access to data that should be protected, potentially including credentials, personal data, or other confidential information [1].

Mitigation

Dell has released security updates to address this vulnerability [1]. For SupportAssist for Home PCs, users should update to version 3.11.5 or later; for SupportAssist for Business PCs, update to version 3.2.1 or later [1]. The Dell advisory DSA-2022-190 provides download links and further details [1]. No workarounds are currently available, and users are advised to apply the patch as soon as possible [1].