Inteset Secure Lockdown Standard Edition – Privilege Escalation and Insecure Cryptographic Storage.

Release Date: 23-Oct-2019

Last Update: –

Vendor Notification Date: 09-Jul-2019

Product: XNAT

Platform: Linux and possibly others

Affected versions: 1.7.5.3 (confirmed) and possibly earlier versions

Severity Rating: High

Impact: System Access

Attack Vector: Remote with authentication

Solution Status: XNAT 1.7.5.4 Hotfix Release

CVE reference: CVE – 2019-14276

Details

An XML External Entity (XXE) vulnerability is an attack against an application that parses XML input. Importing an XML file that contains an XML external entity to the XNAT application permits an attacker to retrieve a local file from the web server. The attacker must be authenticated to the application. This attack occurs when XML input contains a reference to an external entity such as a local file on the web server. Common targets include configuration files, e.g. ASP.NET web.config or Linux password files, e.g. /etc/shadow.

The following URL is affected: /REST/search

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

Apply patch from XNAT 1.7.5.4 Hotfix Release.

Additional information is available at:

https://wiki.xnat.org/news/blog/2019/08/xnat-1-7-5-4-hotfix-release-now-available

https://wiki.xnat.org/documentation/getting-started-with-xnat/what-s-new-in-xnat/xnat-1-7-5-4-release-notes

Discovered By

Hamed Merati from Sense of Security Labs.