cbcvebase.
CVE-2018-15767
published 2018-11-30

CVE-2018-15767: The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.32%
95.7th percentile
The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file.

Affected

3 ranges
VendorProductVersion rangeFixed in
dellopenmanage_network_manager< 6.5.36.5.3
dellopenmanage_network_manager>= unspecified < 6.5.36.5.3
dellopenmanage_network_manager>= unspecified < 6.5.06.5.0

Detection & IOCsextracted from sources · hover to see the quote

port3306
port8080
otherpassword: dorado
path/opt/VAroot/dell/openmanage/networkmanager/oware/synergy/tomcat-7.0.40/webapps/nvhelp/
urlhttp://<target>:8080/nvhelp/<shell>.jsp
path/etc/sudoers
  • Detect unauthenticated or default-credential MySQL connections to port 3306 from external/untrusted hosts targeting the appliance; accounts 'root', 'owmeta', and 'oware' with password 'dorado' are the known default credentials used in exploitation.
  • Alert on MySQL SELECT ... INTO OUTFILE statements writing .jsp files into the web application directory, specifically under /opt/VAroot/dell/openmanage/networkmanager/oware/synergy/tomcat-7.0.40/webapps/nvhelp/.
  • Monitor HTTP POST requests to /nvhelp/*.jsp on port 8080 with a 'cmd' parameter, which is the webshell interaction pattern used by the exploit.
  • Detect MySQL FLUSH LOGS commands issued after a SELECT INTO OUTFILE, as the exploit uses this sequence to finalize JSP shell deployment.
  • Alert on new .jsp files created in the nvhelp web directory with random 8-character alphanumeric filenames, consistent with the exploit's shell-naming pattern.
  • The MySQL service is bound to 0.0.0.0 with an empty IPTables ruleset (default ACCEPT policy), making it reachable from any network interface. Verify firewall rules block external access to port 3306.
  • ·The MySQL service runs as the OS root user, meaning any SQL-level code execution (e.g., SELECT INTO OUTFILE) directly results in root-owned files on the filesystem.
  • ·Three default MySQL accounts ('root', 'owmeta', 'oware') all share the same default password 'dorado'; any one of them is sufficient for exploitation.
  • ·The privilege escalation from webshell to root relies on a misconfigured /etc/sudoers file (CVE-2018-15767), allowing the web process to run arbitrary commands as root via 'sudo sh -c'.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.