CVE-2019-16188 in AppScan Source
Summary
by MITRE
HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/08/2020
The vulnerability identified as CVE-2019-16188 represents a critical XML External Entity processing flaw in HCL AppScan Source versions prior to 9.03.13. This vulnerability falls under the CWE-611 weakness category, specifically addressing insecure handling of external entity references in XML parsers. The flaw exists within the application's processing of .ozasmt files which are used for importing scan results and configuration data. Attackers can exploit this vulnerability by crafting malicious .ozasmt files that contain malicious XML external entity declarations, enabling unauthorized access to sensitive information stored on the victim's local file system. The vulnerability is particularly dangerous because it leverages a common attack vector that has been extensively documented in cybersecurity literature and is frequently targeted in advanced persistent threat campaigns.
The technical exploitation of this vulnerability occurs when a victim opens a specially crafted .ozasmt file within the AppScan Source application. During the file import process, the application fails to properly disable external entity processing, allowing XML parsers to resolve external references and access local files. This creates a path for information disclosure attacks where attackers can exfiltrate sensitive data from the victim's system to a remote server they control. The attack vector is particularly insidious because it requires no privileged access or specialized knowledge from the victim beyond opening a seemingly legitimate file. The vulnerability can be leveraged to access configuration files, source code, system credentials, and other sensitive artifacts that may be stored locally on the victim's machine, making it a significant threat to organizations with sensitive data.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can lead to cascading security issues within an organization's infrastructure. When an attacker successfully exploits this vulnerability, they gain access to files that may contain sensitive information such as database connection strings, API keys, or source code repositories that could be used for further attacks. The vulnerability can also enable denial of service conditions if attackers craft malicious payloads that cause the application to consume excessive resources or crash. From an ATT&CK framework perspective, this vulnerability maps to techniques such as T1059.001 (Command and Scripting Interpreter: PowerShell), T1566.001 (Phishing: Spearphishing Attachment), and T1071.004 (Application Layer Protocol: DNS) as attackers may use this vulnerability to exfiltrate data or establish command and control channels. The attack chain typically begins with social engineering to get the victim to open the malicious file, followed by the exploitation of the XXE vulnerability to access local resources.
Organizations should immediately implement multiple layers of defense to protect against this vulnerability. The primary mitigation involves upgrading to HCL AppScan Source version 9.03.13 or later, which includes proper disabling of external XML entity processing. Additionally, organizations should implement strict file validation policies, particularly for files that are imported into security tools, and establish network segmentation to limit the potential impact of successful exploitation. Security teams should also monitor for suspicious file import activities and implement network-based detection mechanisms to identify potential data exfiltration attempts. The vulnerability highlights the importance of secure coding practices and proper input validation, particularly when handling XML data in enterprise security applications. Organizations should also consider implementing application whitelisting policies and regular security assessments to identify and remediate similar vulnerabilities in their security tooling ecosystem.