Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-15766

Summary
Assigner-dell
Assigner Org ID-c550e75a-17ff-4988-97f0-544cde3820fe
Published At-11 Oct, 2018 | 19:00
Updated At-16 Sep, 2024 | 23:30
Rejected At-
Credits

Dell Encryption and Dell Endpoint Security Suite Enterprise Security Policy Overwrite Vulnerability

On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Security Suite Enterprise versions prior 2.0.1 will overwrite and manually set the "Minimum Password Length" group policy object to a value of 1 on that device. This allows for users to bypass any existing policy for password length and potentially create insecure password on their device. This value is defined during the installation of the "Encryption Management Agent" or "EMAgent" application. There are no other known values modified.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:dell
Assigner Org ID:c550e75a-17ff-4988-97f0-544cde3820fe
Published At:11 Oct, 2018 | 19:00
Updated At:16 Sep, 2024 | 23:30
Rejected At:
▼CVE Numbering Authority (CNA)
Dell Encryption and Dell Endpoint Security Suite Enterprise Security Policy Overwrite Vulnerability

On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Security Suite Enterprise versions prior 2.0.1 will overwrite and manually set the "Minimum Password Length" group policy object to a value of 1 on that device. This allows for users to bypass any existing policy for password length and potentially create insecure password on their device. This value is defined during the installation of the "Encryption Management Agent" or "EMAgent" application. There are no other known values modified.

Affected Products
Vendor
Dell Inc.Dell
Product
Encryption
Versions
Affected
  • From unspecified before 10.0.1 (custom)
Vendor
Dell Inc.Dell
Product
Endpoint Security Suite Enterprise
Versions
Affected
  • From unspecified before 2.0.1 (custom)
Problem Types
TypeCWE IDDescription
textN/APassword Policy Vulnerability
Type: text
CWE ID: N/A
Description: Password Policy Vulnerability
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds

For affected devices, the minimum password length policy should be changed manually to what is desired for the current environment. If Dell Endpoint Security Suite Enterprise or Dell Encryption Enterprise’s Encryption Management Agent is installed on a Domain Controller or a device that is not joined to a domain, the default minimum password length will need to be changed on the local device. If Dell Endpoint Security Suite Enterprise or Dell Encryption Enterprise’s Encryption Management Agent is installed on a device that is joined to a domain, the default minimum password length will need to be changed within the enterprise’s Group Policy Management console. Default values for this property is ‘7’ in most configurations. This Microsoft KB article outlines how to modify this setting: https://technet.microsoft.com/en-us/library/dd277399.aspx External Link

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.dell.com/support/article/us/en/04/sln313561/dell-encryption-and-dell-endpoint-security-suite-enterprise-security-policy-overwrite-vulnerability?lang=en
x_refsource_CONFIRM
Hyperlink: https://www.dell.com/support/article/us/en/04/sln313561/dell-encryption-and-dell-endpoint-security-suite-enterprise-security-policy-overwrite-vulnerability?lang=en
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.dell.com/support/article/us/en/04/sln313561/dell-encryption-and-dell-endpoint-security-suite-enterprise-security-policy-overwrite-vulnerability?lang=en
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.dell.com/support/article/us/en/04/sln313561/dell-encryption-and-dell-endpoint-security-suite-enterprise-security-policy-overwrite-vulnerability?lang=en
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security_alert@emc.com
Published At:11 Oct, 2018 | 19:29
Updated At:24 Aug, 2020 | 17:37

On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint Security Suite Enterprise versions prior 2.0.1 will overwrite and manually set the "Minimum Password Length" group policy object to a value of 1 on that device. This allows for users to bypass any existing policy for password length and potentially create insecure password on their device. This value is defined during the installation of the "Encryption Management Agent" or "EMAgent" application. There are no other known values modified.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
Type: Primary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
CPE Matches
Dell Inc.
dell
>>encryption>>Versions before 10.0.1(exclusive)
cpe:2.3:a:dell:encryption:*:*:*:*:*:*:*:*
Dell Inc.
dell
>>endpoint_security_suite_enterprise>>Versions before 2.0.1(exclusive)
cpe:2.3:a:dell:endpoint_security_suite_enterprise:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-521Primarynvd@nist.gov
CWE ID: CWE-521
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.dell.com/support/article/us/en/04/sln313561/dell-encryption-and-dell-endpoint-security-suite-enterprise-security-policy-overwrite-vulnerability?lang=ensecurity_alert@emc.com
Mitigation
Vendor Advisory
Hyperlink: https://www.dell.com/support/article/us/en/04/sln313561/dell-encryption-and-dell-endpoint-security-suite-enterprise-security-policy-overwrite-vulnerability?lang=en
Source: security_alert@emc.com
Resource:
Mitigation
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found