Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address multiple vulnerabilities that could allow malicious users to compromise affected systems.
Wyse Management Suite is a flexible hybrid cloud solution that empowers IT admin to securely manage Dell client devices from anywhere.
The vulnerabilities identified in Dell Wyse Management Suite are categorized as “High” in terms of severity, as they could enable attackers to bypass authentication mechanisms, delete arbitrary files, or cause a denial of service.
These weaknesses could potentially compromise the security and functionality of the affected systems.
Details of the Vulnerabilities
Several vulnerabilities have been identified in the Wyse Management Suite (WMS) version 4.4 and earlier.
Notably, CVE-2024-7553 is a third-party component vulnerability affecting MongoDB, which is utilized within WMS. For comprehensive details on this CVE, please refer to the National Vulnerability Database (NVD).
In addition to the third-party issue, there are multiple proprietary code vulnerabilities:
CVE-2024-49595 addresses an Authentication Bypass by Capture-Replay. This vulnerability affects WMS versions 4.4 and prior, allowing a high-privileged attacker with remote access to exploit the system, potentially leading to a denial of service. It has a CVSS score of 7.6 (High).
CVE-2024-49597 involves the Improper Restriction of Excessive Authentication Attempts. Also impacting WMS 4.4 and earlier versions, this vulnerability could enable a high-privileged attacker to bypass protection mechanisms. It carries a CVSS score of 7.6 (High) and shares the same vector as CVE-2024-49595.
CVE-2024-49596 pertains to Missing Authorization. Exploitation of this vulnerability in WMS 4.4 and prior versions could lead to denial of service and arbitrary file deletion. It has a CVSS score of 5.9 (Medium).
Dell advises that customers consider not only the CVSS base scores but also any relevant temporal and environmental scores to assess the potential severity of each vulnerability in their specific deployment environment.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Affected Products and Remediation
Dell has identified the following products and provided remediation details:
CVE IDs Addressed | Product | Affected Versions | Remediated Versions | Release Date |
---|---|---|---|---|
CVE-2024-7553 CVE-2024-49595, CVE-2024-49597, CVE-2024-49596 |
Dell Wyse Management Suite | Versions 4.4 and prior | 4.4.1 or later | November 25, 2024 |
CVE-2024-49596 | Dell Wyse Management Suite Repository | Versions 4.4 and prior | 4.4.1 or later | November 25, 2024 |
Action Recommended: Upgrade to WMS version 4.4.1 or later to address all identified vulnerabilities.
Workarounds and Mitigations
None available. Dell strongly advises applying the update, as no workarounds or mitigations exist for the identified vulnerabilities.
Dell Technologies extends its gratitude to the individuals and organizations that responsibly disclosed the recently identified vulnerabilities.
Specifically, CVE-2024-49596 was reported by Ahmed Y. Elmogy, and CVE-2024-49595 was identified by Harm Blankers, Jasper Westerman, and Yanick de Pater from REQON B.V. Their contributions have been invaluable in enhancing the security and integrity of our products.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.