CVE-2019-18579 - OpenCVE

Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3 contain a configuration vulnerability. The BIOS configuration for the "Enable Thunderbolt (and PCIe behind TBT) pre-boot modules" setting is enabled by default. A local unauthenticated attacker with physical access to a user's system can obtain read or write access to main memory via a DMA attack during platform boot.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Xps 7390 Xps 7390 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dell:xps_7390_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:xps_7390:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.dell.com/support/article/SLN319808

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2019-12-16T19:45:13.370981Z

Updated: 2024-09-16T22:31:09.094Z

Reserved: 2019-10-29T00:00:00

Link: CVE-2019-18579

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-12-16T20:15:15.930

Modified: 2019-12-30T17:33:28.090

Link: CVE-2019-18579

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CPG BIOS", "vendor": "Dell", "versions": [{"lessThan": "1.1.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2019-12-05T00:00:00", "descriptions": [{"lang": "en", "value": "Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3 contain a configuration vulnerability. The BIOS configuration for the \"Enable Thunderbolt (and PCIe behind TBT) pre-boot modules\" setting is enabled by default. A local unauthenticated attacker with physical access to a user's system can obtain read or write access to main memory via a DMA attack during platform boot."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-16", "description": "CWE-16: Configuration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-16T19:45:13", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dell.com/support/article/SLN319808"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2019-12-05", "ID": "CVE-2019-18579", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CPG BIOS", "version": {"version_data": [{"version_affected": "<", "version_value": "1.1.3"}]}}]}, "vendor_name": "Dell"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3 contain a configuration vulnerability. The BIOS configuration for the \"Enable Thunderbolt (and PCIe behind TBT) pre-boot modules\" setting is enabled by default. A local unauthenticated attacker with physical access to a user's system can obtain read or write access to main memory via a DMA attack during platform boot."}]}, "impact": {"cvss": {"baseScore": 7.6, "baseSeverity": "High", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-16: Configuration"}]}]}, "references": {"reference_data": [{"name": "https://www.dell.com/support/article/SLN319808", "refsource": "MISC", "url": "https://www.dell.com/support/article/SLN319808"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:54:14.504Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.dell.com/support/article/SLN319808"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2019-18579", "datePublished": "2019-12-16T19:45:13.370981Z", "dateReserved": "2019-10-29T00:00:00", "dateUpdated": "2024-09-16T22:31:09.094Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:xps_7390_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0BBB0FF-E736-4AC7-A41A-DF330BFC5C0E", "versionEndExcluding": "1.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dell:xps_7390:-:*:*:*:*:*:*:*", "matchCriteriaId": "CCF5CF43-8B82-438E-B9F9-CEF767B39AD6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Settings for the Dell XPS 13 2-in-1 (7390) BIOS versions prior to 1.1.3 contain a configuration vulnerability. The BIOS configuration for the \"Enable Thunderbolt (and PCIe behind TBT) pre-boot modules\" setting is enabled by default. A local unauthenticated attacker with physical access to a user's system can obtain read or write access to main memory via a DMA attack during platform boot."}, {"lang": "es", "value": "La configuraci\u00f3n de las versiones anteriores a 1.1.3 del Dell XPS 13 2-in-1 (7390) BIOS, contiene una vulnerabilidad de configuraci\u00f3n. La configuraci\u00f3n del BIOS para la configuraci\u00f3n \"Enable Thunderbolt (and PCIe behind TBT) pre-boot modules\" est\u00e1 habilitada por defecto. Un atacante local no autenticado con acceso f\u00edsico al sistema de un usuario puede obtener acceso de lectura o escritura a la memoria principal por medio de un ataque de tipo DMA durante el arranque de la plataforma."}], "id": "CVE-2019-18579", "lastModified": "2019-12-30T17:33:28.090", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 6.0, "source": "security_alert@emc.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-16T20:15:15.930", "references": [{"source": "security_alert@emc.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.dell.com/support/article/SLN319808"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-16"}], "source": "security_alert@emc.com", "type": "Secondary"}]}