cbcvebase.
CVE-2020-5377
published 2020-07-28

CVE-2020-5377: Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker…

PriorityP178critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
48.33%
98.7th percentile
Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.

Affected

2 ranges
VendorProductVersion rangeFixed in
delldell_open_manage_server_administrator>= unspecified < 9.59.5
dellemc_openmanage_server_administrator<= 9.4

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://{target}/LoginServlet?flag=true&managedws=false
urlhttps://{target}/{pathid}/DownloadServlet?help=Certificate&app=oma&vid={pathid}&file={file}
cookieJSESSIONID=<session>
path/LoginServlet
path/DownloadServlet
  • Detect authentication bypass attempts to LoginServlet with POST parameters 'targetmachine' pointing to an attacker-controlled IP and 'user' field containing the string 'VULNERABILITY:CVE-2020-5377'
  • Monitor GET requests to /DownloadServlet with query parameters 'help=Certificate&app=oma' combined with a 'file=' parameter containing directory traversal sequences (e.g., '../') as this is the path traversal file read primitive
  • Alert on unauthenticated POST requests to /LoginServlet with 'flag=true&managedws=false' query string, which is the first step of the authentication bypass chain
  • The exploit impersonates a Dell OMSA remote system by standing up a fake HTTPS server on port 443 responding to WS-Management/SOAP requests; look for outbound SOAP connections from the OMSA host to unexpected external IPs
  • Detect Windows-style path traversal normalization in the 'file=' parameter: the exploit strips drive letters (e.g., 'C:\') and converts backslashes to forward slashes before sending, so monitor for both encoded and decoded traversal patterns
  • ·The exploit requires the attacker to host a fake Dell OMSA SOAP/WS-Management server reachable by the target; the 'targetmachine' POST parameter in the LoginServlet request must point to the attacker's IP, meaning network egress from the OMSA host to attacker infrastructure is a prerequisite
  • ·The fake server uses a self-signed certificate generated on-the-fly (server.pem); the exploit sets 'ignorecertificate=1' in the login request, meaning OMSA does not validate the remote server's TLS certificate during the auth bypass
  • ·Affected versions are Dell EMC OMSA 9.4 and prior; the exploit is specifically demonstrated against version 9.4.0.0

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.