Linux Kernel Dell WMI Sysman Plaintext Password Leak Vulnerability

A vulnerability in the Linux kernel's Dell WMI Systems Management driver has been addressed. The issue arose because the 'set_new_password' function hex dumped the entire password buffer, including current and new passwords, thereby leaking plaintext credentials. This vulnerability affects the Linux kernel through version 6.4.0.

Impact

The vulnerability could lead to unauthorized access to plaintext password data, including current and new passwords, potentially allowing for unauthorized password changes or access to password-protected resources.

Reproduction

The vulnerability can be reproduced by using the Dell WMI Systems Management driver in the Linux kernel. When the 'set_new_password' function is called, it will hex dump the entire password buffer, including unencrypted current and new passwords, before the password is processed. This hex dump creates a plaintext password leak.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.