CVE-2018-20733 in Web Infrastructure Platform
Summary
by MITRE
BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows XXE.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/02/2020
The vulnerability identified as CVE-2018-20733 represents a critical XML External Entity processing flaw within the BI Web Services component of SAS Web Infrastructure Platform versions prior to 9.4M6. This vulnerability falls under the CWE-611 category of Improper Restriction of XML External Entity Reference, which is a well-documented weakness in software systems that process XML data. The flaw enables attackers to exploit the platform's XML parsing functionality by injecting malicious external entity references that can be resolved during the processing of user-supplied XML input.
The technical implementation of this vulnerability occurs within the BI Web Services layer where the system fails to properly sanitize or restrict external entity references in XML documents. When processing XML requests, the platform does not adequately validate or filter the entity declarations that may include references to external resources, allowing an attacker to craft malicious XML payloads that can cause the system to fetch and process external content. This can lead to various security consequences including information disclosure, denial of service attacks, and potentially remote code execution depending on the system configuration and underlying infrastructure.
The operational impact of this vulnerability is significant for organizations utilizing SAS Web Infrastructure Platform, as it creates an attack surface that can be exploited by malicious actors to gain unauthorized access to sensitive data and system resources. Attackers can leverage this vulnerability to perform server-side request forgery attacks, where the platform is tricked into making requests to internal systems or external malicious servers. The vulnerability can also enable data exfiltration through the retrieval of sensitive files from the server or through the exploitation of the external entity references to access internal network resources that would otherwise be protected by firewalls or network segmentation.
Organizations should implement immediate mitigations including upgrading to SAS Web Infrastructure Platform version 9.4M6 or later, which contains the necessary patches to address the XXE vulnerability. Additionally, administrators should implement proper XML parsing configurations that disable external entity resolution and parameter entity expansion. The mitigation strategies should align with ATT&CK technique T1213.002 for Data from Information Repositories and T1071.004 for Application Layer Protocol: DNS to prevent unauthorized data access and exfiltration attempts. Network segmentation and firewall rules should be configured to restrict access to the affected services, and input validation should be strengthened to prevent malicious XML content from reaching the vulnerable processing layers. Regular security assessments and vulnerability scanning should be conducted to ensure that similar issues are not present in other components of the SAS platform or related systems.