External risk intelligence

WSO2 products can expose customer data and control due to insecure XML handling.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2024-2374

WSO2 products can be tricked into revealing sensitive files or system information because their XML processors allow attackers to provide specially crafted data that causes the system to fetch unwanted content. This could lead to significant data exposure or service disruption.

4Halo Surface Signal

XML External Entity Injection

Wso2 Api Manager

3.1.0 to before 3.1.0.2783.2.0 to before 3.2.0.3684.0.0 to before 4.0.0.2804.1.0 to before 4.1.0.2064.2.0 to before 4.2.0.1444.3.0 to before 4.3.0.575.10.0 to before 5.10.0.3005.11.0...

External exposure likelihood

Halo Surface Signal score for CVE-2024-2374

WSO2 products are frequently deployed as API gateways, integration hubs, and identity services that process XML-based traffic. These roles often involve exposing application endpoints to the public internet to handle API requests or remote service calls, making the vulnerable XML parsing surface commonly reachable in real-world deployments.

Horizon Alert

Summary of the vulnerability and why it matters

WSO2 products can be tricked into revealing sensitive files or system information. This happens because their XML processors allow attackers to provide specially crafted data that causes the system to fetch unwanted content. This could lead to significant data exposure or service disruption.

Attackers can read local files.
Services can be disrupted.
Attackers don't need prior access.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted XML payloads to vulnerable WSO2 products. This allows them to read sensitive files from the server's file system or access other HTTP resources the product can reach. It can also be used to disrupt services by overwhelming the server with large external resource requests.

Malicious XML payload required.
No authentication needed.
Network access to the product.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely target this vulnerability because it allows for remote file access, information disclosure, and denial-of-service attacks on widely deployed WSO2 products. The ease of crafting malicious XML payloads and the critical impact of successful exploitation make it an attractive target for adversaries seeking to compromise sensitive data or disrupt services.

Public exploits are not yet available.
No KEV signal observed.
No recent exploitation activity is evident.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline WSO2 products with vulnerable XML parsers due to the risk of sensitive data exposure and denial of service. Investigate logs for signs of external entity processing or large recursive entity expansions.

Block external XML entity resolution.
Update WSO2 products to patched versions.
Monitor for unauthorized file access.

Frequently asked questions

What is WSO2 API Manager and what is its function?

WSO2 API Manager is a platform designed for the creation, development, security, and release of APIs, enabling organizations to manage their entire API lifecycle effectively. It facilitates API access for developers and consumers while ensuring robust security and control.

What is CWE-611 in the context of CVE-2024-2374?

CVE-2024-2374 involves CWE-611, an 'Improper Restriction of XML External Entity Reference' weakness. This means the software's XML parsers do not adequately prevent the processing of external entities, potentially allowing attackers to access sensitive information or internal resources by crafting malicious XML payloads.

How can WSO2 products be exploited via the XML parser vulnerability?

Attackers can exploit this by sending specially crafted XML payloads to vulnerable WSO2 products. This allows them to read sensitive files from the server's file system or access other reachable HTTP resources, and can also lead to denial-of-service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. Exploitation does not require authentication and only needs network access to the product.

What is the relevance of CVE-2024-2374 according to Halo Surface Signal?

Halo classifies this CVE as 'Likely' relevant because WSO2 products are often deployed as API gateways, integration hubs, and identity services that process XML traffic. These roles frequently expose endpoints to the internet, making the vulnerable XML parsing surface commonly accessible in real-world scenarios.

What practical steps should be taken regarding this vulnerability?

Organizations should prioritize isolating or taking offline WSO2 products with vulnerable XML parsers to mitigate risks of data exposure and service disruption. It is recommended to investigate logs for signs of external entity processing or large recursive entity expansions. Essential remediation steps include blocking external XML entity resolution and updating WSO2 products to patched versions. Continuous monitoring for unauthorized file access is also advised.

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.