Introduction: As part of our continuing efforts to ensure the security and stability of open-source software, we would like to bring to your attention the discovery of a critical use-after-free vulnerability within the widely-used Apache Xerces C++ XML parser. This security issue is referenced under the identifier CVE-2024-23807 and affects versions 3.. to 3.2.4 of the parser. The vulnerability is triggered during the scanning of external DTDs and can lead to a variety of problems, including crashes, data corruption, and even arbitrary code execution.

Original References: The vulnerability was initially reported in CVE-2018-1311. However, the initial advisory erroneously recommended using version 3.2.3 or 3.2.4 to fix the issue, but the problem persisted in those versions. The correct patched version should be 3.2.5. The official Apache Xerces C++ XML parser project page and additional references can be found here:

- Apache Xerces C++ XML parser: https://xerces.apache.org/xerces-c/
- CVE-2018-1311 Advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1311
- Updated Advisory (CVE-2024-23807): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23807

The Exploit: As mentioned earlier, CVE-2024-23807 allows a use-after-free error to occur while scanning external DTDs, which can lead to crashes or more severe consequences. A code snippet demonstrating an example of the vulnerability can be found below:

#include <xercesc/parsers/XercesDOMParser.hpp>
#include <xercesc/sax/ErrorHandler.hpp>
#include <xercesc/util/XMLString.hpp>
#include <xercesc/util/PlatformUtils.hpp>

XERCES_CPP_NAMESPACE_USE

int main(int argc, char* argv[]) {
    try {
        XMLPlatformUtils::Initialize();
    }
    catch (const XMLException& toCatch) {
        return 1;
    }
    
    XercesDOMParser* parser = new XercesDOMParser;
    parser->setValidationScheme(XercesDOMParser::Val_Always);
    parser->setDoNamespaces(true);
    
    ErrorHandler* errHandler = (ErrorHandler*) new HandlerBase;
    parser->setErrorHandler(errHandler);
    
    try {
        parser->parse("file_with_external_dtd.xml");
    }
    catch (const XMLException& toCatch) {
        char* message = XMLString::transcode(toCatch.getMessage());
        XMLString::release(&message);
        return 2;
    }
    
    return ;
}

Mitigation & Fixes: Users are strongly recommended to upgrade to Apache Xerces C++ XML parser version 3.2.5, which fixes the CVE-2024-23807 vulnerability. Alternatively, users can mitigate the issue by disabling DTD processing in their applications, which can be done through the following methods:

For DOM: Use a standard parser feature such as the following to disable DTD processing

parser->setFeature(XMLUni::fgXercesLoadExternalDTD, false);

For SAX: Set the XERCES_DISABLE_DTD environment variable to disable DTD processing.

Conclusion: In this long read post, we have discussed a critical use-after-free vulnerability (CVE-2024-23807) in the Apache Xerces C++ XML parser that affects versions 3.. to 3.2.4. To secure your applications, we strongly encourage upgrading to version 3.2.5 or employing one of the mitigation strategies described above. Always keep your software up-to-date to minimize the risk of potential security threats.

Timeline

Published on: 02/29/2024 01:44:10 UTC
Last modified on: 08/01/2024 13:47:20 UTC