Dell OpenManage Network Manager Security Vulnerabilities

Dell OpenManage Network Manager Security Vulnerabilities




CVE Identifier: CVE-2018-15767, CVE-2018-15768

Severity: Medium


Affected products:

Dell OpenManage Network Manager version prior to 6.5.3 (CVE-2018-15767)
Dell OpenManage Network Manager version prior to 6.5.0 (all CVEs)


Summary:

Dell OpenManage Network Manager has been updated to address multiple vulnerabilities which may be potentially exploited to compromise the system.


Details:

The below vulnerabilities have been addressed:
  • CVE-2018-15767 – Improper Authorization Vulnerability
    The Dell OpenManage Network Manager virtual appliance versions prior to 6.5.3 contain an improper authorization vulnerability caused by a misconfiguration in the /etc/sudoers file. A malicious OpenManage Network Manager user who has ‘synergy’ account privileges could potentially exploit this vulnerability to run arbitrary commands with root privileges on the affected system.

  • CVE-2018-15768 – Insecure MySQL Configuration Vulnerability
    Dell OpenManage Network Manager versions prior to 6.5.0 enabled read/write access to the file system for MySQL users due to insecure default configuration setting for the embedded MySQL database. A malicious OpenManage Network Manager user with database access privileges could potentially exploit this vulnerability to access files stored on the server filesystem.

  • Resolution:

    The following Dell OpenManage Network Manager release contains resolutions to these vulnerabilities:
  • CVE-2018-15767 - Dell OpenManage Network Manager versions 6.5.3 and later
  • CVE-2018-15768 - Dell OpenManage Network Manager versions 6.5.0 and later

  • Dell recommends all customers upgrade at the earliest opportunity. Customers are advised to refer to the OpenManage Network Manager User Installation Guide (https://www.dell.com/support/home/us/en/04/product-support/product/dell-openmanage-network-manager/manuals) for instructions on changing any default passwords in the product.


    Workaround:

    Customers on versions prior to 6.5.0 can follow the instructions documented below to manually remediate CVE-2018-15768.

  • Disable read/write access filesystem by MySQL users:
  • o Edit file: .../oware3rd/mysql/5.0.51-pc-linux-i686-64/my.cnf
    o Add the line below to the [mysqld] section:

    secure_file_priv = /dev/null


    Link to remedies:


    Customers can download software from http://downloads.dell.com/published/pages/dell-openmanage-network-manager.html


    Credit:

    This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

    Dell recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.




    Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

    Article ID: SLN314610

    Last Date Modified: 11/02/2018 09:24 AM


    Rate this article

    Accurate
    Useful
    Easy to understand
    Was this article helpful?
    Yes No
    Send us feedback
    Comments cannot contain these special characters: <>()\
    Sorry, our feedback system is currently down. Please try again later.

    Thank you for your feedback.