CVE-2024-37129

Vulnerability

Dell Inventory Collector, versions prior to 12.3.0.6, contains a path traversal vulnerability that allows a local authenticated user to write files outside the intended directory. This can lead to arbitrary code execution on the system. The issue exists in the product's file handling routines where insufficient validation of user-supplied paths is performed [1].

Exploitation

An attacker must have local authenticated access to the system. The exploitation requires user interaction (e.g., opening a crafted file or performing a specific action from the user interface) and a high attack complexity due to race conditions or other mitigating factors. The CVSS vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H indicates the need for local access, high attack complexity, low privileges, and user interaction [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerable component does not share a security boundary with the attacker's scope, meaning the compromise is contained within the affected product (scope unchanged) [1].

Mitigation

Dell has released version 12.3.0.6 on 06/24/2024 to remediate this vulnerability. Users should update Dell Inventory Collector to this version or later. Dell Command Update, Dell Update, Alienware Update, and Dell SupportAssist for PCs automatically update Inventory Collector without user interaction [1].