Vulnerability in libxml2
Download as DOCX, PDF0 likes311 views
This vulnerability allows attackers to disrupt availability of applications using libxml2 through denial of service attacks. It is caused by improper processing of XML files containing predefined entity definitions by libxml2 versions 2.7.0 and 2.7.1. Successful attacks can exhaust all CPU, memory, and disk resources, making affected systems and applications unavailable. It resembles the "Billion Laughs" XML bomb vulnerability from 2003. Organizations should upgrade to libxml2 2.7.2 and implement input validation and access restrictions to mitigate risks.
![available to end users. In this case, the application must be restarted in order for the service to become
available again. In some cases, exploitation leads not to CPU overload, but also to exhaustion of memory
and disk resources. This is largely application specific.
Déjà vu
The vulnerability (also known as CVE-2014-3660) can be exploited on several platforms that depend on
libxml2 and resembles a variation of the well-known "Billion Laughs” vulnerability that was discovered
in 2003.
The most well-known XXE-related denial of service attack is the "billion laughs" attack which exploits the
ability to define nested entities defined within an XML DTD to build an XML memory bomb. This bomb is
a specially-crafted document that an attacker writes with nested entities and in-line DTDs that will cause
the parser to generate an exponentially expanded payload, potentially overloading the application
process memory and causing a disruption in service. For example:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
Going through the evaluation process depicted in the example above, when an XML parser loads this
document it will include one root element “lolz” that contains the defined entity “&lol9;”. The “&lol9;”
entity expands to a string containing ten “&lol8;” entities. Each “&lol8;” entity is expanded to ten other
“&lol7;” entities and so forth, until it reaches the leaf entity “&lol;”. After processing all of the
expansions, the entities are resolved through string substitutions and consequently would incur
considerable amounts of memory resources – in such attacks a ( < 1 KB) block of XML can consume
almost 3GB of memory.](https://image.slidesharecdn.com/vulnerabilityinlibxml2-150316084623-conversion-gate01/85/Vulnerability-in-libxml2-2-320.jpg)
Vulnerability in libxml2
- 1. Vulnerability in libxml2 Denial of Service attack prevention XML is a very popular markup language, first standardized in the late 1990's and adopted by countless software projects. It is used in configuration files, document formats (such as OOXML, ODF, PDF, RSS, ...), image formats (SVG, EXIF headers), and networking protocols (WebDAV, CalDAV, XMLRPC, SOAP, XMPP, SAML, XACML, …). These examples barely scratch the surface. XML is so pervasive that any weakness or security vulnerability that affects XML generally, no matter how minor, can have a serious impact on the world's computer systems overall due to the variety and unpredictability of contexts it is used in. Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems. Despite being publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious DTDs. As one would expect with any well-known, but commonly found type of vulnerability, this situation stems from the fact that overall awareness within the development community remains low, while the behavior of many XML parsers is to expose risky features by default. This paper is an attempt to approach these problems by providing an up-to-date reference of a wide variety of XML schema and DTD attacks. Meanwhile, we hope any additional awareness this brings will help to encourage developers of XML library vendors to disable the most dangerous of features by default and improve API documentation to mitigate any remaining risks. On 16 October 2014, a vulnerability was reported in libxml2, a library for the processing of eXtensible Markup Language (XML). XML is a language for the exchange of structured information between applications. Attackers can use this vulnerability to disrupt the availability of (web) applications through a so called Denial-of-Service (DoS) attack. The vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition. The vulnerability is reported in versions 2.7.0 and 2.7.1. Effect of this vulnerability Successful attacks can cause an application to consume the full CPU power of a system such that other applications are not able to access the CPU, and thus, cannot function properly. This could mean that a web application is no longer available to end users. Every XML based interface that is available over the internet and that makes use of libxml2 can be remotely exploited. This is not the case if filtering is implemented or if the application sufficiently filters user input. Examples of this type of interface are SOAP connections, XML-RPC and REST interfaces. Exploitation of this vulnerability leads to libxml2 consuming all available CPU power. Because Processor capacity is subsequently no longer available to other applications, the system or applications on this system will be no longer available. Practically, this could mean that a web application is no longer
- 2. available to end users. In this case, the application must be restarted in order for the service to become available again. In some cases, exploitation leads not to CPU overload, but also to exhaustion of memory and disk resources. This is largely application specific. Déjà vu The vulnerability (also known as CVE-2014-3660) can be exploited on several platforms that depend on libxml2 and resembles a variation of the well-known "Billion Laughs” vulnerability that was discovered in 2003. The most well-known XXE-related denial of service attack is the "billion laughs" attack which exploits the ability to define nested entities defined within an XML DTD to build an XML memory bomb. This bomb is a specially-crafted document that an attacker writes with nested entities and in-line DTDs that will cause the parser to generate an exponentially expanded payload, potentially overloading the application process memory and causing a disruption in service. For example: <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> Going through the evaluation process depicted in the example above, when an XML parser loads this document it will include one root element “lolz” that contains the defined entity “&lol9;”. The “&lol9;” entity expands to a string containing ten “&lol8;” entities. Each “&lol8;” entity is expanded to ten other “&lol7;” entities and so forth, until it reaches the leaf entity “&lol;”. After processing all of the expansions, the entities are resolved through string substitutions and consequently would incur considerable amounts of memory resources – in such attacks a ( < 1 KB) block of XML can consume almost 3GB of memory.
- 3. Mitigation It is highly recommended a system upgrade to a libxml2 version that is not vulnerable. If libxml2 is supplied in combination with a device or other software, the supplier should be asked for a version which supports a non-vulnerable version of libxml2. If upgrading is not an option, then it is also recomended evaluating the risk of this vulnerability for your organization and, according to the results, implementing the solutions considered necessary: 1. Limit the possibilities for a user to import XML content. Especially, make sure the user has no control over the DOCTYPE in an XML file. 2. Validate XML contents before offering them to libxml2. This validation can be an XML firewall that scans the XML file or a separate XML parser that is not based on libxml2 (e.g. libexpat) and parses the XML before libxml2 parses the file. Also, make sure that the validation is performed on raw content and not on already processed content, as in the latter case, the XML will already be directed to libxml2. 3. Shield XML parsers wherever possible. If the XML parser does not need to be publicly available, then make sure that access is restricted by a firewall or by some sort of authentication mechanism. The use of an alternate XML parser is not seen as a practical solution, because this will require a partial rewrite of the application. This may be technically complex. Vulnerable version: 2.7.0 and 2.7.1. Solution: 1. Update to version 2.7.2. ftp://xmlsoft.org/libxml2/ 2. Follow the mitigation steps Attribution: National Cyber Security Centre