CVE-2022-22795 in Manager+Agentsinfo

Summary

by MITRE • 03/10/2022

Signiant - Manager+Agents XML External Entity (XXE) - Extract internal files of the affected machine An attacker can read all the system files, the product is running with root on Linux systems and nt/authority on windows systems, which allows him to access and extract any file on the systems, such as passwd, shadow, hosts and so on. By gaining access to these files, attackers can steal sensitive information from the victims machine.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/12/2022

The vulnerability identified as CVE-2022-22795 affects Signiant Manager+Agents software, presenting a critical XML External Entity (XXE) flaw that enables remote attackers to extract internal system files. This vulnerability exists within the XML processing functionality of the affected software, where insufficient input validation allows malicious XML data to reference external entities. The flaw specifically impacts systems running Linux and Windows operating systems, with the software executing with elevated privileges - root access on Linux systems and nt/authority on Windows systems. The XXE vulnerability allows attackers to manipulate the XML parser to access local file system resources through external entity references, effectively bypassing normal access controls and file system restrictions.

The technical exploitation of this vulnerability leverages the fundamental weakness in XML processing where external entities can be defined to reference local files or network resources. When the Signiant Manager+Agents software processes XML data containing malicious entity references, it can be coerced into reading system files that would normally be inaccessible through standard network protocols. This occurs because the XML parser lacks proper restrictions on external entity resolution, allowing attackers to craft malicious XML payloads that reference system files such as /etc/passwd, /etc/shadow, /etc/hosts, and other sensitive configuration files. The vulnerability operates at the parser level, making it particularly dangerous as it can be exploited without requiring authentication or prior access to the system.

The operational impact of this vulnerability is severe and far-reaching, as it provides attackers with complete read access to system files regardless of the privilege level at which the application is running. When the software executes with root privileges on Linux systems, attackers can extract any file on the system, including cryptographic keys, database credentials, system configurations, and user authentication data. Similarly, when running with nt/authority privileges on Windows systems, the vulnerability enables access to Windows system files, registry entries, and domain authentication information. The ability to extract sensitive information such as password hashes, system configuration files, and network configuration details provides attackers with substantial information for further exploitation, including potential lateral movement within networks, credential harvesting, and privilege escalation attacks.

Security professionals should implement multiple layers of defense to mitigate this vulnerability. The primary mitigation involves updating the Signiant Manager+Agents software to versions that properly disable external entity resolution in XML parsers or implement strict input validation. Organizations should also consider implementing network segmentation to limit access to affected systems and deploy web application firewalls that can detect and block malicious XML content. Additionally, the principle of least privilege should be enforced by running the software with minimal required privileges rather than root or administrative accounts. This vulnerability aligns with CWE-611 (Improper Restriction of XML External Entity Reference) and maps to ATT&CK technique T1566 (Phishing with Malicious Attachments) and T1078 (Valid Accounts) as attackers can use the extracted information to establish persistent access and move laterally within compromised networks. Regular security assessments and input validation testing should be performed to ensure that XML processing components do not inadvertently expose system resources to external entity references.

Reservation

01/07/2022

Disclosure

03/10/2022

Moderation

accepted

CPE

ready

EPSS

0.01016

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!