Vulnerability "XML External Entity (XXE) injection" fixed with OpenManage Version 8.4? - Dell Systems Management General Forum - Systems Management - Dell Community
Systems Management Forums

Vulnerability "XML External Entity (XXE) injection" fixed with OpenManage Version 8.4?

Systems Management

Systems Management
Dell Systems Management Solutions: Dell OpenManage, iDRAC, Repository Manager, Microsoft SCCM, Chassis Managment Controller, and more

Vulnerability "XML External Entity (XXE) injection" fixed with OpenManage Version 8.4?

  • Dell OpenManage Version 8.3 is vulnerable to "XML External Entity (XXE) injection". (see_

    https://www.exploit-db.com/exploits/39909/)

     Has this vulnerability been fixed with Dell OpenManage Version 8.4 or is there a workaround for Windows Server available?

  • It still works against v8.5.

    Dell support has previously suggested to individuals that I work with that, *if* administrators don't need the web interface and only have OMSA installed for command line tools and hardware monitoring, they can either reinstall OMSA with the web administration component marked as "Do Not Install", or disable the "DSM SA Connection Service" service.

    My personal take, if you configure a host-level firewall to disallow the above mentioned Windows service from creating *outbound* connections to both port 443 and port 5986, that would block the web interface from being able to manage remote (and possibly malicious) nodes (e.g., nodes besides the one the web interface is running on), which should suffice to block the exploit linked to above with a minimal loss of functionality.

    If you have a Dell support contract, I'd recommend giving them a ring.