SUMMARY:
- Critical Vulnerability Alert: Dell Power Manager versions before 3.17 have a high-severity access control flaw (CVE-2024-49600) allowing attackers to gain elevated privileges.
- Exploitation Risk: Attackers with local access can execute arbitrary code, bypass security measures, and compromise system confidentiality, integrity, and availability.
- Software Update: Dell has released Power Manager version 3.17 to address this vulnerability; users should update immediately as no workaround is available.
- Vulnerability Discovery: The flaw was identified and responsibly disclosed by TsungShu Chiu from CHT Security.
- Dell’s Recent Breaches: Dell faced multiple data breaches in September 2024, exposing sensitive information of employees and projects, further emphasizing the need for robust security measures.
Dell has issued a critical security alert (DSA-2024-439) regarding an Improper Access Control vulnerability discovered in its Power Manager software. This vulnerability, identified as CVE-2024-49600, could potentially allow attackers to execute malicious code and gain elevated privileges on affected systems. The vulnerability affects versions of Dell Power Manager released before 3.17.
For your information, Dell Power Manager is a software widely used to manage power settings on Dell systems. This application extends system battery life and provides customizable battery maintenance settings. It also alerts users about power adapter, battery, docking, and USB Type-C device incompatibility.
The vulnerability occurs from improper access control within the software, making it exploitable by low-privileged users with local access. Attackers can bypass security measures, execute arbitrary code, and gain unauthorized access to sensitive system functions. The severity of this vulnerability is rated as high, with a CVSS Base Score of 7.8.
If exploited, it could lead to significant security risks to compromised systems, jeopardizing their confidentiality, integrity, and availability. Execution of arbitrary code can lead to malware installation, data theft, or system compromise, and gaining higher-level system privileges would enable unauthorized actors to perform actions that were otherwise restricted.
Dell has released an updated version of Power Manager (version 3.17) that addresses the vulnerability. Users are strongly advised to update their software immediately to protect their systems as no workaround is currently available.
“Dell Technologies highly recommends applying this important update as soon as possible. The update contains critical bug fixes and changes to improve functionality, reliability, and stability of your Dell system,” the advisory read.
TsungShu Chiu from CHT Security identified this vulnerability and responsibly disclosed it to Dell Technologies, which in turn acknowledged and appreciated Chiu’s efforts.
Dell has been in the news for all the wrong reasons lately. Hackread.com recently reported a series of Dell data breaches involving the exposure of sensitive information. Between 19 and 24 September 2024, a hacker, known as “grep,” was revealed to have breached Dell thrice (once with fellow hacker “Chucky”) stealing confidential data related to Jira files, database tables, and schema migrations, totalling 3.5 GB of uncompressed data, data for 10,863 employees, and approximately 500 MB of sensitive data, including project documents and Multi-Factor Authentication (MFA) data.
