CVE-2022-46678

Vulnerability

Wyse Management Suite versions 3.8 and earlier contain an improper access control vulnerability (CVE-2022-46678). An authenticated malicious admin user can edit general client policy for which they are not authorized. The vulnerability exists in the policy management functionality and requires no special configuration beyond a standard installation [1].

Exploitation

An attacker needs a valid admin account with network access to the Wyse Management Suite server. The exploit involves using the policy editing interface to modify general client policies that are outside the attacker's authorized scope. No user interaction is required, and the attack complexity is low [1].

Impact

Successful exploitation allows the attacker to edit client policies they should not have access to. According to the CVSS vector, the primary impact is on availability (A:H), as unauthorized policy changes could disrupt client functionality. Confidentiality and integrity are not affected [1].

Mitigation

Dell has released a security update to address this vulnerability. Users should upgrade to the latest version of Wyse Management Suite as indicated in the Dell advisory [1]. No workarounds have been provided.