CVE-2024-45761
📋 TL;DR
Dell OpenManage Server Administrator (OMSA) versions 11.0.1.0 and prior contain an improper input validation vulnerability that allows remote low-privileged users to load arbitrary web plugins or Java classes. This could lead to denial of service or alteration of application/OS behavior. Organizations using vulnerable OMSA versions are affected.
💻 Affected Systems
- Dell OpenManage Server Administrator (OMSA)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains ability to execute arbitrary code, compromise server management functions, or cause persistent denial of service affecting server administration capabilities.
Likely Case
Attackers cause denial of service by loading malicious plugins/classes that crash OMSA services, disrupting server management operations.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated management network with no critical system access.
🎯 Exploit Status
Requires low-privileged authenticated access. No public exploit code available at disclosure time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.2.0 or later
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000258320/dsa-2024-481-security-update-for-dell-openmanage-server-administrator-omsa-vulnerability
Restart Required: Yes
Instructions:
1. Download OMSA version 11.0.2.0 or later from Dell Support. 2. Backup current configuration. 3. Install update following Dell documentation. 4. Restart OMSA services.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to OMSA management ports (1311/1312) to trusted management networks only.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="1311-1312" accept'
netsh advfirewall firewall add rule name="Restrict OMSA" dir=in action=allow protocol=TCP localport=1311-1312 remoteip=TRUSTED_NETWORK
Disable Unnecessary OMSA Features
allDisable web server plugin loading features if not required for operations.
Edit OMSA configuration to disable plugin loading features (consult Dell documentation for specific parameters)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OMSA management interfaces from untrusted networks
- Enforce principle of least privilege for OMSA user accounts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check OMSA version: On Windows: Open OMSA Web Interface → About. On Linux: dpkg -l | grep srvadmin or rpm -qa | grep srvadminCheck Version:
Windows: wmic product where "name like 'Dell OpenManage%'" get version. Linux: omreport system about or check package versionVerify Fix Applied:
Verify version is 11.0.2.0 or later using same commands as above📡 Detection & Monitoring
Log Indicators:
- Unusual plugin loading events in OMSA logs
- Multiple failed authentication attempts followed by successful low-privilege login
- OMSA service crashes or restarts
Network Indicators:
- Unusual traffic to OMSA ports (1311/1312) from non-management networks
- Multiple HTTP POST requests to plugin/class loading endpoints
SIEM Query:
source="omsa.log" AND (event="plugin_load" OR event="class_load") AND user!="admin"