CVE-2016-5795 in Liebert SiteScan Web Version
Summary
by MITRE
An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/10/2021
The vulnerability CVE-2016-5795 represents a critical XML External Entity processing flaw affecting multiple industrial control systems from Automated Logic Corporation and Carrier Corporation. This weakness exists within the web interfaces of Liebert SiteScan Web, ALC WebCTRL, and Carrier i-Vu platforms, all versions 6.5 and earlier, creating a significant attack surface for malicious actors targeting industrial environments. The vulnerability stems from insufficient input validation and improper XML parser configuration that allows attackers to inject malicious external entity declarations within XML requests processed by these applications.
The technical implementation of this vulnerability leverages the inherent capabilities of XML parsers to resolve external references during document parsing. When these industrial web applications process XML data without proper sanitization, they become susceptible to XXE attacks where attackers can craft malicious XML payloads containing external entity declarations. The flaw manifests when the XML parser attempts to resolve these external entities, potentially leading to arbitrary code execution on the server hosting the vulnerable applications or unauthorized access to sensitive files within the network. This weakness directly maps to CWE-611, which specifically addresses Improper Restriction of XML External Entity Reference, and aligns with ATT&CK technique T1213.002 for Data from Information Repositories.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with potential persistence mechanisms and lateral movement capabilities within industrial control networks. An attacker exploiting this vulnerability could gain unauthorized access to critical system files, configuration data, and potentially execute commands with elevated privileges on the affected servers. The implications are particularly severe in industrial environments where these platforms control critical infrastructure, as successful exploitation could lead to operational disruptions, data compromise, or even physical system manipulation. The vulnerability affects the core web interfaces of these applications, making it accessible through standard web-based attack vectors including HTTP requests and web application interfaces.
Mitigation strategies for CVE-2016-5795 should focus on immediate configuration changes to disable external entity resolution within XML parsers and implement comprehensive input validation mechanisms. Organizations must ensure that all affected systems are updated to patched versions of the vulnerable software, as vendors have released security updates addressing this specific XXE vulnerability. Network segmentation and web application firewalls should be implemented to restrict access to these industrial web interfaces, while regular security assessments should verify that XML parsers are configured to reject external entity references. The implementation of proper access controls and monitoring mechanisms will help detect potential exploitation attempts, and regular security training for personnel managing these systems can prevent social engineering attacks that may leverage this vulnerability. Additionally, organizations should conduct thorough vulnerability assessments to identify other potentially vulnerable applications within their industrial control systems that may be susceptible to similar XXE attacks, as this represents a common weakness in industrial web applications that require consistent remediation across all affected platforms.