CVE-2023-28071 Overview
CVE-2023-28071 affects Dell Command | Update, Dell Update, and Alienware Update versions 4.9.0, A01 and prior. The flaw is an Insecure Operation on Windows Junction / Mount Point vulnerability classified under [CWE-59] (Link Following) and [CWE-1386] (Insecure Operation on Windows Junction / Mount Point). A local authenticated user can abuse this weakness to create arbitrary folders on the file system. Successful exploitation results in a permanent Denial of Service (DoS) condition on the affected host. The issue requires local access with low privileges and no user interaction.
Critical Impact
A local low-privileged attacker can leverage Windows junction abuse in the Dell update clients to create arbitrary folders, producing a permanent denial-of-service condition on impacted systems.
Affected Products
- Dell Command | Update versions 4.9.0, A01 and prior
- Dell Update versions 4.9.0, A01 and prior
- Alienware Update versions 4.9.0, A01 and prior
Discovery Timeline
- 2023-06-23 - CVE-2023-28071 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-28071
Vulnerability Analysis
The vulnerability resides in how Dell Command | Update, Dell Update, and Alienware Update perform file system operations on Windows. The update clients operate on directory paths without validating whether those paths contain NTFS junctions or mount points. A local attacker can plant a junction that redirects a directory operation performed by the privileged update service. The service then follows the junction and performs the operation against the redirected target. The result is arbitrary folder creation in locations the unprivileged user could not normally write to. Because the created folders cannot be easily removed by the user, the condition is persistent and breaks normal application or system functionality, producing a permanent DoS.
Root Cause
The root cause is a link-following weakness in which the affected Dell update applications do not check for symbolic links, junctions, or mount points before performing file system operations. This pattern aligns directly with [CWE-59] and [CWE-1386]. The trust boundary is crossed when a higher-privileged process performs operations on attacker-controllable paths.
Attack Vector
Exploitation is local and requires an authenticated user on the target Windows host. The attacker prepares a Windows junction in a writable directory consumed by the vulnerable Dell update binary. When the update workflow runs, the privileged process follows the junction and creates a folder at the attacker-chosen target. No user interaction is needed beyond the normal update execution, and the impact remains until manual cleanup with elevated rights.
No public proof-of-concept code is available for CVE-2023-28071. Refer to the Dell Security Advisory DSA-2023-170 for vendor technical details.
Detection Methods for CVE-2023-28071
Indicators of Compromise
- Unexpected folders created in system or program directories outside of normal installer activity.
- Presence of NTFS junctions in user-writable temporary or log directories used by DellCommandUpdate.exe, DellUpdate.exe, or AlienwareUpdate.exe.
- Update logs showing directory creation operations targeting non-standard paths.
Detection Strategies
- Monitor for CreateDirectory operations performed by Dell update services where the parent path contains a reparse point.
- Audit process execution of Dell update binaries followed by file system reparse point traversal events (Windows Event ID 4663 with appropriate SACLs).
- Hunt for low-privileged user processes creating junctions (mklink /J) in directories consumed by Dell update components.
Monitoring Recommendations
- Enable file system auditing on directories used by Dell Command | Update, Dell Update, and Alienware Update.
- Track installed versions of the three Dell update products across the fleet and alert on hosts still running 4.9.0 A01 or earlier.
- Correlate Sysmon Event ID 11 (FileCreate) with Event ID 1 (ProcessCreate) for the Dell update process tree to surface anomalous folder creation.
How to Mitigate CVE-2023-28071
Immediate Actions Required
- Upgrade Dell Command | Update, Dell Update, and Alienware Update to the fixed version published in Dell Security Advisory DSA-2023-170.
- Inventory all endpoints and identify systems still running version 4.9.0 A01 or earlier.
- Restrict interactive logon on shared workstations where local low-privileged users could stage junction-based attacks.
Patch Information
Dell has released fixed versions addressing CVE-2023-28071. Apply the updates documented in the Dell Security Advisory DSA-2023-170. The advisory is the authoritative source for fixed build numbers and download locations for each of the three affected products.
Workarounds
- Remove or disable vulnerable Dell update clients on hosts that cannot be patched immediately.
- Limit local user accounts on systems where Dell update agents run with elevated privileges.
- Apply NTFS permissions to deny non-administrative users the ability to create reparse points in directories accessed by the update services.
# Verify installed Dell Command | Update version on Windows
wmic product where "Name like 'Dell Command%%Update%%'" get Name,Version
# Identify reparse points (junctions) in a directory tree
dir /AL /S C:\Users\Public
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
