How to remediate – Dell OpenManage Server Administrator Path Traversal (DSA-2020-…

1. Introduction

Dell OpenManage Server Administrator (OMSA) is affected by a path traversal vulnerability, allowing unauthenticated remote attackers to gain file system access on vulnerable systems via crafted web API requests. This could lead to data theft, modification, or denial of service. Systems running Dell OMSA are typically affected, particularly those exposed to the internet or untrusted networks. A successful exploit can compromise confidentiality, integrity, and availability.

2. Technical Explanation

The vulnerability is caused by improper sanitization of user-supplied input when processing web API requests within Dell OpenManage Server Administrator. An attacker can manipulate the request to access files outside of the intended directory structure. CVE-2020-5377 describes this issue. For example, an attacker could send a specially crafted HTTP GET request containing malicious characters in a parameter to read sensitive system files. Affected versions are those prior to 9.3.0.2 and 9.4.0.2.

• Root cause: Missing input validation on user-supplied data within the web API interface.
• Exploit mechanism: An attacker sends a crafted HTTP request with malicious characters in a parameter to traverse file paths. Example payload: /api/files?path=../../../../etc/passwd
• Scope: Dell OpenManage Server Administrator versions prior to 9.3.0.2 and 9.4.0.2 running on Linux, Windows, and VMware ESXi platforms.

3. Detection and Assessment

Confirming vulnerability requires checking the installed OMSA version. A thorough assessment involves attempting to exploit the path traversal flaw in a test environment.

• Quick checks: Use the OMSA web interface or command line to determine the current version. For example, on Linux: /opt/dell/srvadmin/sbin/omisa --version
• Scanning: Nessus vulnerability ID 138796 can detect this issue. This is an example only and may require configuration.
• Logs and evidence: Check OMSA web server logs for suspicious requests containing path traversal characters (e.g., “..”, “/”) or attempts to access restricted files. Log paths vary by operating system; consult Dell documentation.

/opt/dell/srvadmin/sbin/omisa --version

4. Solution / Remediation Steps

4.1 Preparation

• Ensure you have downloaded the correct patch for your operating system and OMSA version. A roll back plan involves restoring from the pre-update backup or snapshot.
• A change window may be required depending on your environment; approval from IT management is recommended.

4.2 Implementation

1. Step 1: Download Dell EMC OpenManage Server Administrator 9.3.0.2 / 9.4.0.2 or later from the official Dell support website.
2. Step 2: Install the downloaded patch using your operating system’s package manager or installer. On Linux, this may involve commands like dpkg -i .deb or rpm -Uvh .rpm.

4.3 Config or Code Example

There are no configuration changes required; this vulnerability is resolved by updating to a patched version.

Before

N/A - Vulnerable OMSA Version

After

/opt/dell/srvadmin/sbin/omisa --version (Output shows 9.3.0.2 or later)

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of vulnerability. Least privilege limits the impact if exploited, while input validation blocks unsafe data from being processed. A robust patch cadence ensures timely application of security updates.

• Practice 1: Implement least privilege principles to restrict access to sensitive files and directories.
• Practice 2: Enforce strict input validation on all user-supplied data, especially in web applications.

4.5 Automation (Optional)

# Example Ansible playbook snippet
- name: Install Dell OpenManage Server Administrator patch
  package:
    name: dell-omsa
    state: latest
    version: 9.3.0.2 # Or later
  become: true

5. Verification / Validation

Confirm the fix by verifying the updated OMSA version and attempting to exploit the path traversal vulnerability in a test environment. A service smoke test should be performed to ensure functionality remains intact.

• Post-fix check: Run /opt/dell/srvadmin/sbin/omisa --version; expected output shows version 9.3.0.2 or later.
• Re-test: Attempt the earlier exploit attempt (e.g., accessing /etc/passwd via a crafted HTTP request); it should now be blocked.
• Smoke test: Verify that you can still access OMSA web interface and perform basic system management tasks.

/opt/dell/srvadmin/sbin/omisa --version (Output shows 9.3.0.2 or later)

6. Preventive Measures and Monitoring

Update security baselines to include the latest OMSA version requirements. Implement checks in CI/CD pipelines to prevent deployment of vulnerable versions. Establish a regular patch review cycle that fits your risk profile.

• Baselines: Update security configuration baselines (e.g., CIS benchmarks) to require OMSA 9.3.0.2 or later.
• Asset and patch process: Implement a monthly patch review cycle for critical systems like servers running OMSA.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Patch installation may require a server reboot, causing downtime.
• Risk or side effect 2: Compatibility issues with existing plugins or integrations are possible; test thoroughly.

8. References and Resources

Consult official advisories for accurate information about this vulnerability.

• Vendor advisory or bulletin: https://www.dell.com/support/kbdoc/000192674
• NVD or CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2020-5377
• Product or platform documentation relevant to the fix: https://www