Details of VAR-202109-1534

ID

VAR-202109-1534

CVE

CVE-2021-36286

TITLE

Dell SupportAssist Client Consumer Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-012491

DESCRIPTION

Dell SupportAssist Client Consumer versions 3.9.13.0 and any versions prior to 3.9.13.0 contain an arbitrary file deletion vulnerability that can be exploited by using the Windows feature of NTFS called Symbolic links. Symbolic links can be created by any(non-privileged) user under some object directories, but by themselves are not sufficient to successfully escalate privileges. However, combining them with a different object, such as the NTFS junction point allows for the exploitation. Support assist clean files functionality do not distinguish junction points from the physical folder and proceeds to clean the target of the junction that allows nonprivileged users to create junction points and delete arbitrary files on the system which can be accessed only by the admin. Dell SupportAssist Client Consumer Exists in a past traversal vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state. DELL Dell SupportAssist Client is a client application of Dell (DELL). The program provides automated, proactive and predictive techniques for troubleshooting and more. An attacker can combine this vulnerability with an NTFS junction point to escalate privileges and delete files arbitrarily. The following products and versions are affected: Dell SupportAssist Client Consumer version 3.9.13.0 and earlier

Trust: 1.8

sources: NVD: CVE-2021-36286 // JVNDB: JVNDB-2021-012491 // VULHUB: VHN-397579 // VULMON: CVE-2021-36286

AFFECTED PRODUCTS

vendor:	dell	model:	supportassist client consumer	scope:	lte	version:	3.9.13.0	Trust: 1.0
vendor:	デル	model:	dell supportassist client consumer	scope:	lte	version:	3.9.13.0 and earlier	Trust: 0.8
vendor:	デル	model:	dell supportassist client consumer	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-012491 // NVD: CVE-2021-36286

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-36286
value:	HIGH
Trust: 1.0
security_alert@emc.com:	CVE-2021-36286
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-36286
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202109-1866
value:	HIGH
Trust: 0.6
VULHUB:	VHN-397579
value:	LOW
Trust: 0.1
VULMON:	CVE-2021-36286
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-36286
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-397579
severity:	LOW
baseScore:	3.6
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-36286
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.2
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-012491
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-397579 // VULMON: CVE-2021-36286 // JVNDB: JVNDB-2021-012491 // CNNVD: CNNVD-202109-1866 // NVD: CVE-2021-36286 // NVD: CVE-2021-36286

PROBLEMTYPE DATA

problemtype:	CWE-59	Trust: 1.1
problemtype:	CWE-22	Trust: 1.0
problemtype:	Path traversal (CWE-22) [ others ]	Trust: 0.8

sources: VULHUB: VHN-397579 // JVNDB: JVNDB-2021-012491 // NVD: CVE-2021-36286

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202109-1866

TYPE

post link

Trust: 0.6

sources: CNNVD: CNNVD-202109-1866

PATCH

title:	DSA-2021-163	url:	https://www.dell.com/support/kbdoc/ja-jp/000191057/dsa-2021-163-dell-supportassist-client-consumer-security-update-for-two-vulnerabilities	Trust: 0.8
title:	Dell SupportAssist Client Repair measures for path traversal vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=164865	Trust: 0.6
title:	CVE-2021-36286	url:	https://github.com/AIPOCAI/CVE-2021-36286	Trust: 0.1
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2021-36286	Trust: 0.1

sources: VULMON: CVE-2021-36286 // JVNDB: JVNDB-2021-012491 // CNNVD: CNNVD-202109-1866

EXTERNAL IDS

db:	NVD	id:	CVE-2021-36286	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-012491	Trust: 0.8
db:	CNNVD	id:	CNNVD-202109-1866	Trust: 0.7
db:	VULHUB	id:	VHN-397579	Trust: 0.1
db:	VULMON	id:	CVE-2021-36286	Trust: 0.1

sources: VULHUB: VHN-397579 // VULMON: CVE-2021-36286 // JVNDB: JVNDB-2021-012491 // CNNVD: CNNVD-202109-1866 // NVD: CVE-2021-36286

REFERENCES

url:	https://www.dell.com/support/kbdoc/en-us/000191057/dsa-2021-163-dell-supportassist-client-consumer-security-update-for-two-vulnerabilities	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-36286	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/59.html	Trust: 0.1
url:	https://github.com/aipocai/cve-2021-36286	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-397579 // VULMON: CVE-2021-36286 // JVNDB: JVNDB-2021-012491 // CNNVD: CNNVD-202109-1866 // NVD: CVE-2021-36286

SOURCES

db:	VULHUB	id:	VHN-397579
db:	VULMON	id:	CVE-2021-36286
db:	JVNDB	id:	JVNDB-2021-012491
db:	CNNVD	id:	CNNVD-202109-1866
db:	NVD	id:	CVE-2021-36286

LAST UPDATE DATE

2024-08-14T14:44:16.485000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-397579	date:	2022-10-25T00:00:00
db:	VULMON	id:	CVE-2021-36286	date:	2022-10-25T00:00:00
db:	JVNDB	id:	JVNDB-2021-012491	date:	2022-09-01T03:13:00
db:	CNNVD	id:	CNNVD-202109-1866	date:	2022-10-26T00:00:00
db:	NVD	id:	CVE-2021-36286	date:	2022-10-25T14:56:21.220

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-397579	date:	2021-09-28T00:00:00
db:	VULMON	id:	CVE-2021-36286	date:	2021-09-28T00:00:00
db:	JVNDB	id:	JVNDB-2021-012491	date:	2022-09-01T00:00:00
db:	CNNVD	id:	CNNVD-202109-1866	date:	2021-09-28T00:00:00
db:	NVD	id:	CVE-2021-36286	date:	2021-09-28T20:15:07.727