CVE-2020-27858 in ARCserve D2D
Summary
by MITRE • 01/21/2021
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CA Arcserve D2D 16.5. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getNews method. Due to the improper restriction of XML External Entity (XXE) references, a specially-crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11103.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2021
The vulnerability identified as CVE-2020-27858 represents a critical information disclosure flaw in CA Arcserve D2D 16.5 software, specifically within the getNews method implementation. This vulnerability operates under the CWE-611 weakness category, which classifies it as an improper restriction of XML External Entity references, making it a variant of the well-known XXE attack vector. The flaw exists in the XML parsing mechanism that processes incoming data without adequate validation of external entity references, creating a pathway for unauthorized information access that does not require any authentication credentials for exploitation.
The technical exploitation of this vulnerability occurs when a malicious actor crafts a specially designed XML document containing external entity references that point to internal system resources. When the XML parser processes this document through the getNews method, it automatically resolves the external entity references and embeds the retrieved content back into the XML structure for further processing. This behavior allows attackers to access sensitive system information, including files, directories, and potentially system configurations that would normally be protected from external access. The vulnerability operates at the SYSTEM context level, indicating that successful exploitation can provide attackers with elevated privileges and access to system-level resources that are typically restricted.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable attackers to gather intelligence about the target system's configuration, file structures, and potentially sensitive data stored within the Arcserve D2D environment. Attackers leveraging this vulnerability can potentially access system files, configuration details, and other internal resources that may contain credentials, system paths, or other sensitive information. This type of vulnerability aligns with ATT&CK technique T1083 (File and Directory Discovery) and T1046 (Network Service Scanning) as it allows for reconnaissance activities and system enumeration without requiring authentication. The fact that no authentication is required makes this particularly dangerous as it can be exploited by anyone with network access to the affected system.
Organizations utilizing CA Arcserve D2D 16.5 should implement immediate mitigations including disabling external entity processing in XML parsers, implementing proper input validation for all XML data processing, and restricting network access to the affected system. The recommended approach involves configuring XML parsers to reject external entity declarations and using secure parsing libraries that do not automatically resolve external references. Additionally, network segmentation and firewall rules should be implemented to limit access to the affected service, and regular security assessments should be conducted to identify similar vulnerabilities in other system components. This vulnerability demonstrates the importance of secure XML processing practices and the potential consequences of inadequate input validation in enterprise backup and recovery solutions. The ZDI-CAN-11103 reference indicates this vulnerability was recognized by the Zero Day Initiative, highlighting its significance in the cybersecurity community and the need for immediate remediation efforts.