CVE-2017-13706 in Lansweeper
Summary
by MITRE
XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information, cause a denial of service, conduct server-side request forgery (SSRF) attacks, conduct internal port scans, or have unspecified other impact via an XML request, aka bug #572705.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/12/2024
The CVE-2017-13706 vulnerability represents a critical XML external entity processing flaw within Lansweeper's deployment module that affects versions prior to 6.0.100.67. This vulnerability specifically targets the import package functionality, which is a core component used for system configuration and deployment management. The flaw arises from insufficient input validation and sanitization when processing XML data, creating a pathway for malicious actors to manipulate the system's behavior through crafted XML requests. The vulnerability's classification as an XXE issue indicates that the application fails to properly restrict external entity references during XML parsing operations, allowing attackers to influence how the system processes structured data.
The technical exploitation of this vulnerability occurs through the manipulation of XML requests that are processed by the deployment module's import functionality. When authenticated users submit specially crafted XML content, the system's XML parser attempts to resolve external entities, which can lead to unauthorized data access, system resource exhaustion, and various attack vectors including server-side request forgery. The vulnerability enables attackers to perform internal port scanning activities, potentially revealing network topology information, and can facilitate information disclosure attacks that expose sensitive system data. This weakness directly maps to CWE-611, which describes improper restriction of XML external entity references, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation. The vulnerability's impact extends beyond simple data theft, as it can also cause denial of service conditions by consuming system resources through malformed XML processing.
The operational consequences of this vulnerability are significant for organizations relying on Lansweeper for asset management and deployment operations. Remote authenticated attackers with valid credentials can leverage this flaw to conduct reconnaissance activities, potentially mapping internal network infrastructure and identifying vulnerable services. The server-side request forgery capability allows attackers to make arbitrary requests from the affected system, potentially enabling them to access internal resources that would normally be protected by network segmentation. Organizations may experience service disruption due to resource exhaustion from processing malicious XML requests, and the information disclosure aspect could lead to exposure of sensitive configuration details, user credentials, or system architecture information. The vulnerability's presence in the deployment module particularly concerns security teams as it affects system configuration processes, potentially allowing attackers to manipulate deployment settings or access sensitive operational data. The unspecified nature of some impacts suggests that additional attack vectors or consequences may exist beyond the documented capabilities, making this vulnerability particularly dangerous in environments with limited monitoring or incident response capabilities. Organizations should prioritize patching this vulnerability to prevent exploitation and maintain the integrity of their asset management and deployment workflows.