Multiple vulnerabilities in Dell EMC Secure Remote Services (SRS) Virtual Edition



Risk High
Patch available YES
Number of vulnerabilities 35
CVE-ID CVE-2019-11713
CVE-2019-13117
CVE-2017-12652
CVE-2019-7317
CVE-2019-11727
CVE-2019-11729
CVE-2019-11709
CVE-2019-11715
CVE-2019-17006
CVE-2020-2654
CVE-2019-11719
CVE-2019-11711
CVE-2019-11712
CVE-2019-11745
CVE-2019-11717
CVE-2019-11730
CVE-2019-9811
CVE-2019-13118
CVE-2020-2754
CVE-2020-2756
CVE-2020-2803
CVE-2020-2767
CVE-2020-2773
CVE-2020-2659
CVE-2020-2805
CVE-2020-2800
CVE-2020-2583
CVE-2020-2781
CVE-2019-18197
CVE-2020-2778
CVE-2020-2757
CVE-2020-2601
CVE-2020-2816
CVE-2020-2764
CVE-2020-2755
CWE-ID CWE-416
CWE-200
CWE-20
CWE-295
CWE-119
CWE-79
CWE-122
CWE-125
CWE-352
CWE-787
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Secure Remote Services (SRS) Virtual Edition
Other software / Other software solutions

Vendor Dell

Security Bulletin

This security bulletin contains information about 35 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU33034

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11713

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU18965

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13117

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to information disclosure in numbers.c in libxslt library where an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. A remote attacker can gain knowledge whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU19180

Risk: Low

CVSSv3.1: 2.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-12652

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in libpng when checking the chuck length against the user limit. A remote attacker can supply a specially crafted PNG image and crash the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU17708

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-7317

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to a use-after-free memory error in the png_image_free function, as defined in the png.c source code file when calling on png_safe_execute. A remote attacker can send specially crafted data, trigger a call on png_safe_execute and trigger memory corruption, resulting in a DoS condition.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Certificate Validation

EUVDB-ID: #VU47195

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11727

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists doe to an error within the Mozilla NSS library, when working with TLS certificates. A remote attacker can force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. A remote attacker can perform a Man-in-the-Middle attack and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU23562

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11729

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing an empty or malformed p256-ECDH public keys. A remote attacker can trigger a segmentation fault and cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Buffer overflow

EUVDB-ID: #VU33030

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11709

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site scripting

EUVDB-ID: #VU33035

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11715

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Heap-based buffer overflow

EUVDB-ID: #VU47197

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17006

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Mozilla NSS library when processing input text length while using certain cryptographic primitives. A remote attacker can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper input validation

EUVDB-ID: #VU25092

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2654

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Out-of-bounds read

EUVDB-ID: #VU33037

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11719

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Input validation error

EUVDB-ID: #VU33032

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11711

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Cross-site request forgery

EUVDB-ID: #VU33033

Risk: High

CVSSv3.1: 7.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11712

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Out-of-bounds write

EUVDB-ID: #VU23050

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11745

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the NSC_EncryptUpdate() function in /lib/softoken/pkcs11c.c, when performing padding operations in Mozilla NSS. A remote attacker can pass specially crafted data to the affected application, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Input validation error

EUVDB-ID: #VU33036

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11717

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Information disclosure

EUVDB-ID: #VU33439

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11730

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU33399

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9811

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Information disclosure

EUVDB-ID: #VU18966

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13118

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to uninitialized stack data exposure in numbers.c in libxslt library when processing an invalid character/length combination in xsltNumberFormatDecimal. A remote attacker can gain pass specially crafted data to the application using the affected library and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Improper input validation

EUVDB-ID: #VU27227

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2754

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Improper input validation

EUVDB-ID: #VU27230

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2756

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Improper input validation

EUVDB-ID: #VU27212

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2803

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Improper input validation

EUVDB-ID: #VU27223

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2767

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improper input validation

EUVDB-ID: #VU27229

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2773

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Improper input validation

EUVDB-ID: #VU25094

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2659

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Networking component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Improper input validation

EUVDB-ID: #VU27219

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2805

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Improper input validation

EUVDB-ID: #VU27224

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2800

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Improper input validation

EUVDB-ID: #VU25095

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2583

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Improper input validation

EUVDB-ID: #VU27221

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2781

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Buffer overflow

EUVDB-ID: #VU21942

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18197

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the xsltCopyText() function in transform.c in libxslt. A remote attacker can create a specially crafted XML document, pass it to the affected application, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Improper input validation

EUVDB-ID: #VU27225

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2778

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Improper input validation

EUVDB-ID: #VU27231

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2757

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Improper input validation

EUVDB-ID: #VU25088

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2601

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Improper input validation

EUVDB-ID: #VU27220

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2816

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Improper input validation

EUVDB-ID: #VU27226

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2764

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Advanced Management Console component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Improper input validation

EUVDB-ID: #VU27228

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2755

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Secure Remote Services (SRS) Virtual Edition: 3.40.00.08 - 3.44.00.08

CPE2.3 External links

http://www.dell.com/support/kbdoc/en-us/000153741/dsa-2020-190-dell-emc-srs-virtual-edition-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###