CVE-2023-28071: 
Dell Command Update vulnerability analysis and mitigation

Dell Command | Update, Dell Update, and Alienware Update versions 4.9.0, A01 and prior contain an Insecure Operation on Windows Junction / Mount Point vulnerability. The vulnerability was disclosed on June 13, 2023, and is tracked as CVE-2023-28071. The affected software includes Dell Command | Update, Dell Update, and Alienware Update applications (Dell Advisory).

The vulnerability is classified as an Insecure Operation on Windows Junction / Mount Point vulnerability (CWE-1386, CWE-59). It received a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating local access required, high attack complexity, low privileges required, no user interaction needed, and potential for high impact on integrity and availability (NVD).

If exploited, this vulnerability could allow a local malicious user to create arbitrary folders leading to permanent Denial of Service (DOS). The vulnerability affects system integrity and availability, with no direct impact on confidentiality (Dell Advisory).

Dell has released version 4.9.0, A02 on June 13, 2023, to address this vulnerability. Users are advised to upgrade to the remediated version. The update is available for both Universal Windows Platform version for Windows 10 32-bit and 64-bit systems, and Windows 32 and 64-bit version for Microsoft Windows 10 (Dell Advisory).

Dell Technologies acknowledged the security researcher ycdxsb for reporting this vulnerability (Dell Advisory).