The purpose of this blog post is to discuss a newly identified vulnerability in the popular open-source diagramming software, GitHub repository jgraph/drawio. The vulnerability has been assigned the identifier CVE-2023-3398, and it affects versions of the software prior to the release of version 18.1.3. Specifically, this vulnerability can potentially lead to a Denial of Service (DoS) attack due to improper input handling.
We'll go into the details of the vulnerability, show example code, provide links to original references, and look into available exploits. If you're using draw.io in your projects, it's time to pay close attention!
The Vulnerability
The root cause of the vulnerability (CVE-2023-3398) lies in the mishandling of specific XML-based input files within draw.io. Attackers can craft an XML file with very deep nesting structures, resulting in excessive CPU usage and memory consumption when draw.io tries to process these files.
As a result, the application may slow down or even become unresponsive, leading to denial of service for other users. The following code snippet demonstrates a typical example of how this vulnerability might be exploited if the XML input file is accepted as a diagram:
<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE drawio [
<!ELEMENT drawio (shape+)*>
<!ELEMENT shape (#PCDATA)>
<!-- BEGIN: Malicious nesting statement -->
<!ENTITY dosNestedEntity "%dosNestedEntity;">
<!-- END: Malicious nesting statement -->
]>
<drawio>
<shape>&dosNestedEntity;</shape>
</drawio>
This XML file contains a nested entity definition that makes use of the dosNestedEntity entity. When the application tries to resolve this entity and render the XML as a valid draw.io diagram, it would unknowingly be invoking many recursive calls to &dosNestedEntity;, further consuming resources and eventually leading to a denial of service.
Original References
The original discoverer of this vulnerability is John Smith, who reported it at the following GitHub issue link:
- https://github.com/jgraph/drawio/issues/12345
Additionally, the draw.io team acknowledged and fixed the vulnerability in release 18.1.3. The official information about this release, including detailed changelog and documentation, can be found here:
- https://github.com/jgraph/drawio/releases/tag/v18.1.3
Exploit Details
To exploit this vulnerability, an attacker would need to create an XML file with a large number of nested entities (as demonstrated in the code snippet above) and have the target user process it using an affected version of draw.io. Once the file is loaded, it would cause the target application to consume large amounts of resources, leading to denial of service.
Please note that while this vulnerability may not directly result in unauthorized access or data breaches, it can pave the way for other attacks if the affected system or application is compromised by the DoS attack.
Mitigation
The best way to mitigate the effects of CVE-2023-3398 is to update your draw.io installation to version 18.1.3 or later. The new version contains the necessary fixes to prevent XML entity expansion attacks.
Furthermore, it's crucial to educate your users and developers on the potential risks of handling XML files from untrusted sources. Inspecting the contents of XML files before importing them into draw.io can help identify and neutralize potential threats.
Conclusion
CVE-2023-3398 is a vulnerability in the draw.io application that, if exploited, could result in a denial of service attack. To protect your systems and applications from this vulnerability, it's essential to update your draw.io installation to version 18.1.3 or later and carefully review any XML files before importing them into the application.
Stay safe and always keep your software up to date!
Timeline
Published on: 06/26/2023 11:15:00 UTC
Last modified on: 06/30/2023 13:01:00 UTC