What is the vulnerability CVE-2023-0871?

CVE-2023-0871 is an XML external entity injection vulnerability in OpenNMS Horizon with a CVSS3 score of 8.8. It exposes OS file exfiltration due to a permissive XML parser configuration, potentially enabling XML External Entity injection.

How does the vulnerability work?

The vulnerability leverages XML entities with URIs to potentially access local files. Attackers can use crafted XML files with entity definitions to read local files, exploiting the permissive XML parser configuration.

What is the impact of this vulnerability?

The vulnerability's impact includes potential data leakage, denial of service, and server-side request forgery. It's rated with a CVSS Base Score of 8.8 (High).

How was the vulnerability addressed?

The vulnerability has been fixed in the Horizon 32.0.2 and Meridian 2023.1.6 releases, ensuring users are protected from potential exploitation.

Advisory

OpenNMS Horizon vulnerable to XXE attack

Q: What is the XML external entity injection vulnerability in OpenNMS Horizon?

The Synopsys CyRC discovered an XML external entity injection vulnerability in OpenNMS Horizon, allowing potential attackers to manipulate XML and potentially access files on the server.

published: Aug. 15, 2023

Take action: Not a vulnerability to panic about but still a very interesting exposure. If an attacker gains access to the local network, they would have another target to attack via an unpatched OpenNMS. Plan for a scheduled non-urgent patch.

Learn More

Cybersecurity researchers from the Synopsys Cybersecurity Research Center (CyRC) have identified an XML external entity injection vulnerability in OpenNMS Horizon.

OpenNMS is an open source network monitoring platform written in Java. It's used across various sectors including healthcare, technology, energy, finance, government, education, retail, and industry, often with large networks comprising thousands of devices. OpenNMS is distributed as two versions: Horizon (community) and Meridian (enterprise) under the AGPLv3 license.

The vulnerability is tracked as CVE-2023-0871 (CVSS3 score 8.8) exposes OS file exfiltration from the OpenNMS server's file system due to a permissive XML parser configuration, potentially enabling XML External Entity injection.

XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing.

By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as "file:///c:/winnt/win.ini" designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.

Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.

The extent of data leakage is limited to textual files that the application process is authorized to read, usually one line of text.

This vulnerability has been addressed in the Horizon 32.0.2 and Meridian 2023.1.6 releases.

OpenNMS Horizon vulnerable to XXE attack

Read More
CISA warns of actively exploited old vulnerabilities in …
Juniper Networks patches nearly 220 security flaws in …
OpenSSL Patches 12 Vulnerabilities Including One Critical RCE
Versa Networks fixes actively exploited vulnerability in Director …
Critical flaws and public exploits released for Trend …