CVE-2020-5377 – Dell EMC OpenManage Server Administrator (OMSA)... (How to Fix)

Q: What is the severity of CVE-2020-5377?

CVE-2020-5377 has a CVSS score of 9.1 (CRITICAL). Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain path traversal vulnerabilities in the Web API. An unauthenticated remote attacker can exploit these by sending crafted requests with directory traversal sequences to read arbitrary files on the management station. This affects all systems running vulnerable OMSA versions.

📋 TL;DR

Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain path traversal vulnerabilities in the Web API. An unauthenticated remote attacker can exploit these by sending crafted requests with directory traversal sequences to read arbitrary files on the management station. This affects all systems running vulnerable OMSA versions.

💻 Affected Systems

Products:

Dell EMC OpenManage Server Administrator (OMSA)

Versions: 9.4 and all prior versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Windows and Linux versions of OMSA. The Web API is typically enabled by default.

📦 What is this software?

Emc Openmanage Server Administrator by Dell

View all CVEs affecting Emc Openmanage Server Administrator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the management station, credential theft from configuration files, lateral movement to managed servers, and potential ransomware deployment across the infrastructure.

🟠

Likely Case

Sensitive file disclosure including configuration files, logs, and credentials, leading to further system compromise and data exfiltration.

🟢

If Mitigated

Limited to file read operations if proper network segmentation and access controls are implemented, but still exposes sensitive information.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers to directly target exposed management interfaces from the internet.

🏢 Internal Only: HIGH - Even internally, unauthenticated access means any compromised internal host can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on Packet Storm Security. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5 or later

Vendor Advisory: https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability?lang=en

Restart Required: Yes

Instructions:

1. Download OMSA version 9.5 or later from Dell Support. 2. Stop OMSA services. 3. Install the updated version. 4. Restart OMSA services. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to OMSA Web API to trusted management networks only

# Windows: Use Windows Firewall to block port 1311 (default) from untrusted networks
# Linux: Use iptables: iptables -A INPUT -p tcp --dport 1311 -s TRUSTED_NETWORK -j ACCEPT; iptables -A INPUT -p tcp --dport 1311 -j DROP

Disable Web API

all

Temporarily disable the vulnerable Web API component if not required

# Windows: Stop 'Dell OpenManage Server Administrator Web Server' service
# Linux: systemctl stop dsm_om_shrsvc.service

🧯 If You Can't Patch

Implement strict network segmentation to isolate OMSA management interfaces from untrusted networks
Deploy web application firewall (WAF) rules to block path traversal patterns in HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check OMSA version via GUI or command line. Versions 9.4.x.x or lower are vulnerable.

Check Version:

# Windows: Check Programs and Features or run 'omreport system version'# Linux: rpm -qa | grep -i srvadmin or dpkg -l | grep -i srvadmin

Verify Fix Applied:

Verify OMSA version is 9.5.0.0 or higher and test that path traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' sequences to OMSA Web API endpoints
Unusual file access patterns from OMSA process
Failed authentication attempts followed by successful file reads

Network Indicators:

HTTP GET/POST requests to OMSA API with directory traversal payloads
Traffic to OMSA port 1311 from unexpected sources

SIEM Query:

source="omsa.log" AND ("..\" OR "../" OR "%2e%2e%2f")

📊 Metadata

CVE ID: CVE-2020-5377

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: July 28, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162110/Dell-OpenManage-Server-Administrator-9.4.0.0-File-Read.html Exploit,Third Party Advisory,VDB Entry
https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability?lang=en Vendor Advisory
http://packetstormsecurity.com/files/162110/Dell-OpenManage-Server-Administrator-9.4.0.0-File-Read.html Exploit,Third Party Advisory,VDB Entry
https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability?lang=en Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5377, you might also want to check these: