Build the DTD with a nesting depth of at least 551 and then send a large number of !ENTITY> nodes to build_model via XSS. The attacker can send a large number of entities with the following construct: !ENTITY data-xss="{{count}}"> The output of this XSS attack depends on the build environment.
If the build environment is Apache, and if the Apache httpd module mod_rewrite is enabled, the XSS becomes a DOS attack.
If the build environment is Nginx, the attack results in crashing Nginx. In all cases, the attacker can send a large number of entities and cause stack exhaustion.
Build the DTD with a nesting depth of at least 551 and then send a large number of nodes to build_model via XSS. The attacker can send a large number of nodes with the following construct:
Reduce the risk of this attack by limiting nesting depth, for example, limit the nesting depth to 100 or fewer. - For Apache with mod_rewrite:
Reduce the risk of this attack by not enabling mod_rewrite. - For Nginx: Reducing stack exhaustion in build_model — By limiting the nesting depth to 100 or fewer, or by disabling mod_rewrite.
Mitigation: Stack exhaustion protection in build_model
Timeline
Published on: 02/18/2022 05:15:00 UTC
Last modified on: 06/14/2022 11:15:00 UTC
References
- https://github.com/libexpat/libexpat/pull/558
- http://www.openwall.com/lists/oss-security/2022/02/19/1
- https://www.debian.org/security/2022/dsa-5085
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
- https://security.netapp.com/advisory/ntap-20220303-0008/
- https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25313