{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/wso2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WSO2"],"_cs_severities":["high"],"_cs_tags":["xxe","cve-2024-2374","wso2","xml","vulnerability","attack","cloud","network"],"_cs_type":"advisory","_cs_vendors":["WSO2"],"content_html":"\u003cp\u003eCVE-2024-2374 exposes a critical vulnerability in multiple WSO2 products stemming from improper configuration of XML parsers. These parsers, when processing user-supplied XML data, fail to prevent the resolution of external entities. This oversight enables attackers to inject malicious XML payloads designed to include external resources, both local and remote. The vulnerability allows an attacker to read confidential files from the file system, access limited HTTP resources reachable by the product, and perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. This poses a significant risk to the confidentiality, integrity, and availability of WSO2-based systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WSO2 product exposed to network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload containing an external entity declaration (e.g., \u003ccode\u003e\u0026lt;!DOCTYPE foo [ \u0026lt;!ENTITY xxe SYSTEM \u0026quot;file:///etc/passwd\u0026quot;\u0026gt; ]\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious XML payload to a WSO2 endpoint that processes XML data, such as an API endpoint or configuration upload page, via an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe WSO2 product's XML parser processes the payload without proper configuration to disable external entity resolution.\u003c/li\u003e\n\u003cli\u003eThe parser attempts to resolve the external entity, initiating a read operation on the specified file (\u003ccode\u003e/etc/passwd\u003c/code\u003e in the example) or a request to a remote HTTP resource.\u003c/li\u003e\n\u003cli\u003eThe contents of the file or the response from the HTTP resource are embedded into the XML document, potentially visible in error messages or other outputs.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information, such as system files, configuration data, or credentials.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a payload with deeply nested or recursive external entities, causing the XML parser to consume excessive CPU and memory, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-2374 can lead to the exposure of sensitive data residing on the WSO2 server's file system, including configuration files, credentials, and internal application data. An attacker can also access internal HTTP resources that the WSO2 server has access to. Furthermore, the vulnerability can be leveraged to trigger denial-of-service conditions, disrupting WSO2 services and impacting business operations. While specific numbers are unavailable, a widespread exploitation could affect numerous organizations relying on vulnerable WSO2 products across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches or updates provided by WSO2 to address CVE-2024-2374 on all affected products immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect XXE Attempt via HTTP Request\u003c/code\u003e to identify potential exploitation attempts targeting WSO2 servers (or other systems).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing XML content with external entity declarations, focusing on the \u003ccode\u003ecs-uri-query\u003c/code\u003e and \u003ccode\u003ecs-uri-path\u003c/code\u003e fields (webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on all XML data processed by WSO2 products to prevent the injection of malicious payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-16T09:16:34Z","date_published":"2024-04-16T09:16:34Z","id":"https://feed.craftedsignal.io/briefs/2024-04-wso2-xxe/","summary":"CVE-2024-2374 describes an XML External Entity (XXE) vulnerability in multiple WSO2 products, where improperly configured XML parsers allow attackers to inject malicious XML payloads to include external resources, leading to confidential file access, limited HTTP resource access, and denial-of-service attacks.","title":"WSO2 Products Vulnerable to XML External Entity (XXE) Injection via CVE-2024-2374","url":"https://feed.craftedsignal.io/briefs/2024-04-wso2-xxe/"}],"language":"en","title":"CraftedSignal Threat Feed - WSO2","version":"https://jsonfeed.org/version/1.1"}