Highlighted
A-Reyer
1 Copper

Vulnerability "XML External Entity (XXE) injection" fixed with OpenManage Version 8.4?

Dell OpenManage Version 8.3 is vulnerable to "XML External Entity (XXE) injection". (see_

https://www.exploit-db.com/exploits/39909/)

 Has this vulnerability been fixed with Dell OpenManage Version 8.4 or is there a workaround for Windows Server available?

0 Kudos
1 Reply
HANtwister
1 Copper

RE: Vulnerability "XML External Entity (XXE) injection" fixed with OpenManage Version 8.4?

It still works against v8.5.

Dell support has previously suggested to individuals that I work with that, *if* administrators don't need the web interface and only have OMSA installed for command line tools and hardware monitoring, they can either reinstall OMSA with the web administration component marked as "Do Not Install", or disable the "DSM SA Connection Service" service.

My personal take, if you configure a host-level firewall to disallow the above mentioned Windows service from creating *outbound* connections to both port 443 and port 5986, that would block the web interface from being able to manage remote (and possibly malicious) nodes (e.g., nodes besides the one the web interface is running on), which should suffice to block the exploit linked to above with a minimal loss of functionality.

If you have a Dell support contract, I'd recommend giving them a ring.

0 Kudos