CVE-2022-34392

Vulnerability

CVE-2022-34392 affects Dell SupportAssist for Home PCs versions 3.11.4 and prior [1]. The software implements insufficient session expiration, meaning that after a user authenticates, their refresh token does not become invalid on schedule [1]. This flaw exists in the token lifecycle management of the application, allowing a valid refresh token to be reused beyond its intended expiration window.

Exploitation

An attacker must already be an authenticated, non-admin user of SupportAssist on the same PC [1]. No special privileges are required beyond standard authentication. The attacker can obtain the refresh token from their own session and, because the token has not expired, reuse it to obtain new access tokens at will [1]. This can be done repeatedly without triggering any re-authentication or other controls.

Impact

A successful attack leads to unauthorized reuse of an access token, which the attacker can then use to fetch sensitive information that their account is otherwise permitted to view [1]. The impact is limited to information disclosure (confidentiality) but does not grant additional privileges beyond what the authenticated non-admin user already has [1].

Mitigation

Dell has released an update resolving this vulnerability; users should upgrade to a version later than 3.11.4 [1]. For current information, refer to Dell security advisory DSA-2022-190 [1]. No workaround has been published.