CVE-2020-5377
published 2020-07-28CVE-2020-5377: Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker…
PriorityP178critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
48.33%
98.7th percentile
Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | dell_open_manage_server_administrator | >= unspecified < 9.5 | 9.5 |
| dell | emc_openmanage_server_administrator | <= 9.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts to LoginServlet with POST parameters 'targetmachine' pointing to an attacker-controlled IP and 'user' field containing the string 'VULNERABILITY:CVE-2020-5377' ↗
- →Monitor GET requests to /DownloadServlet with query parameters 'help=Certificate&app=oma' combined with a 'file=' parameter containing directory traversal sequences (e.g., '../') as this is the path traversal file read primitive ↗
- →Alert on unauthenticated POST requests to /LoginServlet with 'flag=true&managedws=false' query string, which is the first step of the authentication bypass chain ↗
- →The exploit impersonates a Dell OMSA remote system by standing up a fake HTTPS server on port 443 responding to WS-Management/SOAP requests; look for outbound SOAP connections from the OMSA host to unexpected external IPs ↗
- →Detect Windows-style path traversal normalization in the 'file=' parameter: the exploit strips drive letters (e.g., 'C:\') and converts backslashes to forward slashes before sending, so monitor for both encoded and decoded traversal patterns ↗
- ·The exploit requires the attacker to host a fake Dell OMSA SOAP/WS-Management server reachable by the target; the 'targetmachine' POST parameter in the LoginServlet request must point to the attacker's IP, meaning network egress from the OMSA host to attacker infrastructure is a prerequisite ↗
- ·The fake server uses a self-signed certificate generated on-the-fly (server.pem); the exploit sets 'ignorecertificate=1' in the login request, meaning OMSA does not validate the remote server's TLS certificate during the auth bypass ↗
- ·Affected versions are Dell EMC OMSA 9.4 and prior; the exploit is specifically demonstrated against version 9.4.0.0 ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162110/Dell-OpenManage-Server-Administrator-9.4.0.0-File-Read.htmlhttps://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability?lang=enhttp://packetstormsecurity.com/files/162110/Dell-OpenManage-Server-Administrator-9.4.0.0-File-Read.htmlhttps://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability?lang=en
2020-07-28
Published