Executive Summary

This vulnerability exists in the XML parser functionality of the SOAP endpoints in 4D Server. Unauthenticated attackers can exploit it by sending malicious XML payloads to the /4DSOAP endpoint, which processes external XML entities improperly. This allows attackers to read arbitrary files on the application server and adjacent network shares.

Additionally, attackers can perform HTTP GET requests to arbitrary services, enabling Server-Side Request Forgery (SSRF) attacks. The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference) and affects 4D Server version 20 R3.

Exploitation techniques include error-based and out-of-band exfiltration methods, and the vulnerability remains exploitable even if the 'Reject SOAP-Requests' option is enabled in the 4D Server GUI.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts as it allows unauthenticated attackers to gain read access to sensitive files on the application server and connected network shares.

Attackers can also perform HTTP GET requests to arbitrary services, potentially enabling them to access internal services that are not normally exposed externally.

Such unauthorized access can lead to data leakage, exposure of confidential information, and facilitate further attacks within the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending malicious XML payloads to the /4DSOAP endpoint of the 4D Server and observing if the server processes external XML entities, which would indicate susceptibility to XML External Entity (XXE) attacks.

A proof-of-concept script named 4d-xxe.py exists that automates the exploitation process and can be used to test if the server is vulnerable.

Detection involves monitoring for unusual HTTP GET requests initiated by the server to arbitrary services or attempts to read files on the application server or adjacent network shares.

• Use the 4d-xxe.py script to send crafted XML payloads to the /4DSOAP endpoint.
• Monitor network traffic for unexpected outbound HTTP GET requests originating from the 4D Server.
• Check server logs for abnormal file read attempts or errors related to XML parsing at the /4DSOAP endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to upgrade the 4D Server to version 20 R7 or higher, where the vulnerability has been addressed.

Note that enabling the "Reject SOAP-Requests" option in the 4D Server GUI does not prevent exploitation, so relying on this setting is insufficient.

Until an upgrade can be performed, consider restricting access to the /4DSOAP endpoint to trusted networks or IP addresses to reduce exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary files on the application server and adjacent network shares, potentially exposing sensitive data.

Such unauthorized data access can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to unauthorized disclosure of protected data.

Useful 0 Not Useful 0