CVE-2024-28757 - Critical XML Entity Expansion Attack Vulnerability Discovered in libexpat through 2.6.1

CVE-2024-28757 is a critical vulnerability that has been recently found in the libexpat XML parsing library, widely used by web servers and applications for parsing and processing XML documents. This vulnerability allows attackers to execute an XML Entity Expansion attack which, when exploited, could lead to denial of service, information leakage, or even remote execution of arbitrary code.

Exploit Details

The vulnerability resides in the libexpat through 2.6.1 when external parsers (created via XML_ExternalEntityParserCreate) are used in an isolated manner. In particular, if the application uses external parsers without proper entity expansion limits, an attacker can craft malicious XML documents to trigger the XML Entity Expansion attack. This type of attack is also known as the "Billion Laughs Attack" due to its potential to consume a huge amount of memory, CPU and other system resources, eventually causing a crash or a severe slow-down.

Here is an example of a simple XML document that may be used to exploit the vulnerability

<?xml version="1."?>
<!DOCTYPE x [
<!ENTITY a "123456789">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<x>&c;</x>

When an affected application processes such an XML document using an external parser without proper limits, the entities start to expand exponentially, consuming a lot of memory and CPU resources.

The vulnerability has been reported and documented in the following official resources

1. CVE-2024-28757 - MITRE's Common Vulnerabilities and Exposures entry for the vulnerability.
2. libexpat GitHub repository - Official source code repository for the libexpat library, where the vulnerability was discovered.

Mitigation

To protect against this vulnerability, it is crucial that you update your libexpat library to a version higher than 2.6.1. Furthermore, you can use the following code snippet to limit entity expansion when using XML_ExternalEntityParserCreate:

XML_Parser parser = XML_ExternalEntityParserCreate(parent, context, );
XML_SetEntityDeclHandler(parser, entity_declaration_handler);

void entity_declaration_handler(void *userData, const XML_Char *entityName,
    int is_parameter_entity, const XML_Char *value, int value_length,
    const XML_Char *base, const XML_Char *systemId, const XML_Char *publicId,
    const XML_Char *notationName) {
  if (!is_parameter_entity) {
    XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_NEVER);
  }
}

In summary, CVE-2024-28757 is a critical XML Entity Expansion vulnerability found in libexpat through 2.6.1. This vulnerability can lead to severe consequences such as denial of service, information leakage, or even remote code execution. To mitigate the risk, update your libexpat library to a more recent version, and properly limit entity expansion within your XML parsing code.

Timeline

Published on: 03/10/2024 05:15:06 UTC
Last modified on: 05/01/2024 19:15:22 UTC