Is web GUI authentication necessary to exploit CVE-2018-5795 described in VN 2018-003?


In the VN 2018-003 disclosure, it is unclear to me if the attacker would have to be authenticated within the web GUI (as an administrator or otherwise) in order to conduct the arbitrary file write from CVE-2018-5795. Can you please let me know what your investigation found on this?

3 replies

Userlevel 6
Hello Judd,

as per the VN description I assume attacker does NOT have to be authenticated
Following are the noted vulnerabilities:[/code]
  • Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Arbitrary file write from WebGUI (CVE-2018-5795)CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)
Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crashThat is why we recommend to restrict access to WiNG device using an internal subnet, IP or ACL.[/code]
Regards,
Ondrej
Userlevel 6
Hello Judd,

as per the VN description I assume attacker does NOT have to be authenticated
Following are the noted vulnerabilities:[/code][/code]
  • Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Arbitrary file write from WebGUI (CVE-2018-5795)CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)
Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crash[/code]
That is why we recommend to restrict access to WiNG device using an internal subnet, IP or ACL.

Regards,
Ondrej
Userlevel 6
Hello Judd,

as per the VN description I assume attacker does NOT have to be authenticated

________________________________________________________________________________
Following are the noted vulnerabilities:[/code][/code]
  • Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Arbitrary file write from WebGUI (CVE-2018-5795)CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)
Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crash
-------------------------------------------------------------------------------------------------------------------------------------

That is why we recommend to restrict access to WiNG device using an internal subnet, IP or ACL.

Regards,
Ondrej
Userlevel 6
Hello Judd,

as per the VN description I assume attacker does NOT have to be authenticated

Following are the noted vulnerabilities:[/code]
  • Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Arbitrary file write from WebGUI (CVE-2018-5795)CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)
Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crash


That is why we recommend to restrict access to WiNG device using an internal subnet, IP or ACL.

Regards,
Ondrej
Userlevel 6
Hello Judd,

as per the VN description I assume attacker does NOT have to be authenticated

Following are the noted vulnerabilities:
  • Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Arbitrary file write from WebGUI (CVE-2018-5795)CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)
Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crash[/code]
That is why we recommend to restrict access to WiNG device using an internal subnet, IP or ACL.

Regards,
Ondrej
Userlevel 6
Hello Judd,

as per the VN description I assume attacker does NOT have to be authenticated

Following are the noted vulnerabilities:

  • Remote and unauthenticated XML entity expansion vulnerability can cause denial of service (CVE-2018-5789)CVSS base score: 7.5 (High) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Arbitrary file write from WebGUI (CVE-2018-5795)CVSS base score: 2.6 (Low) (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N)
Attack: To launch this attack, a malicious user needs access to the management interface of the WiNG AP / Controller. An attack consists of sending specially crafted XML entities that could lead to AP / Controller crash

That is why we recommend to restrict access to WiNG device using an internal subnet, IP or ACL.

Regards,
Ondrej
Thank you for the response, I was attempting to NOT have to make assumptions. You understand my confusion given the difference in wording between the two CVEs. Did the team doing analysis of the IOActive research CONFIRM no GUI authentication is necessary?

Restricting GUI access via ACL is a given, however it only reduces the attack surface. ACL + strong GUI password policy would be better... if the authentication matters.
In case others are watching this, the release notes claiming fix for CVE-2018-5795 indicates low access authentication is required for this particular CVE.

https://documentation.extremenetworks.com/release_notes/WiNG/9035206-03_WiNG%205_9_1_3%20Release_Not...

Reply