<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2024-2374 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2024-2374/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 16 Apr 2024 09:16:34 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2024-2374/feed.xml" rel="self" type="application/rss+xml"/><item><title>WSO2 Products Vulnerable to XML External Entity (XXE) Injection via CVE-2024-2374</title><link>https://feed.craftedsignal.io/briefs/2024-04-wso2-xxe/</link><pubDate>Tue, 16 Apr 2024 09:16:34 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-04-wso2-xxe/</guid><description>CVE-2024-2374 describes an XML External Entity (XXE) vulnerability in multiple WSO2 products, where improperly configured XML parsers allow attackers to inject malicious XML payloads to include external resources, leading to confidential file access, limited HTTP resource access, and denial-of-service attacks.</description><content:encoded><![CDATA[<p>CVE-2024-2374 exposes a critical vulnerability in multiple WSO2 products stemming from improper configuration of XML parsers. These parsers, when processing user-supplied XML data, fail to prevent the resolution of external entities. This oversight enables attackers to inject malicious XML payloads designed to include external resources, both local and remote. The vulnerability allows an attacker to read confidential files from the file system, access limited HTTP resources reachable by the product, and perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. This poses a significant risk to the confidentiality, integrity, and availability of WSO2-based systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a WSO2 product exposed to network traffic.</li>
<li>The attacker crafts a malicious XML payload containing an external entity declaration (e.g., <code>&lt;!DOCTYPE foo [ &lt;!ENTITY xxe SYSTEM &quot;file:///etc/passwd&quot;&gt; ]&gt;</code>).</li>
<li>The attacker submits the malicious XML payload to a WSO2 endpoint that processes XML data, such as an API endpoint or configuration upload page, via an HTTP POST request.</li>
<li>The WSO2 product's XML parser processes the payload without proper configuration to disable external entity resolution.</li>
<li>The parser attempts to resolve the external entity, initiating a read operation on the specified file (<code>/etc/passwd</code> in the example) or a request to a remote HTTP resource.</li>
<li>The contents of the file or the response from the HTTP resource are embedded into the XML document, potentially visible in error messages or other outputs.</li>
<li>The attacker retrieves sensitive information, such as system files, configuration data, or credentials.</li>
<li>Alternatively, the attacker crafts a payload with deeply nested or recursive external entities, causing the XML parser to consume excessive CPU and memory, resulting in a denial-of-service condition.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2024-2374 can lead to the exposure of sensitive data residing on the WSO2 server's file system, including configuration files, credentials, and internal application data. An attacker can also access internal HTTP resources that the WSO2 server has access to. Furthermore, the vulnerability can be leveraged to trigger denial-of-service conditions, disrupting WSO2 services and impacting business operations. While specific numbers are unavailable, a widespread exploitation could affect numerous organizations relying on vulnerable WSO2 products across various sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the security patches or updates provided by WSO2 to address CVE-2024-2374 on all affected products immediately.</li>
<li>Deploy the Sigma rule <code>Detect XXE Attempt via HTTP Request</code> to identify potential exploitation attempts targeting WSO2 servers (or other systems).</li>
<li>Monitor web server logs for suspicious POST requests containing XML content with external entity declarations, focusing on the <code>cs-uri-query</code> and <code>cs-uri-path</code> fields (webserver log source).</li>
<li>Implement input validation and sanitization measures on all XML data processed by WSO2 products to prevent the injection of malicious payloads.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xxe</category><category>cve-2024-2374</category><category>wso2</category><category>xml</category><category>vulnerability</category><category>attack</category><category>cloud</category><category>network</category></item></channel></rss>